Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

introduce security-sensitivity level constraints #684

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
0242e4f
Initial commit of awesome cloud example. This example is notional and…
david-waltermire Mar 7, 2024
487621e
Merge pull request #565 from david-waltermire/feature-awesome-cloud
david-waltermire Mar 7, 2024
c75fe43
initial commit of OSCAL and FedRAMP-specific OSCAL external constrain…
david-waltermire Jun 19, 2024
efd9960
Added formal-names and descriptions to constraints.
david-waltermire Jun 21, 2024
9bf3129
Added work-in-progress constraint validation unit testing support.
david-waltermire Jun 26, 2024
b6af135
Improved the metadata on the OSCAL constraints.
david-waltermire Jun 26, 2024
52774c1
A few small adjustments to the Metapaths.
david-waltermire Jun 26, 2024
ad970d5
Adjusted handling of all-imports to correct possible metapath syntax …
david-waltermire Jul 8, 2024
94d494d
Introduce cucumber testing of yaml unit tests (#613)
wandmagic Jul 23, 2024
333cc3d
automate content generation and validation via CLI (#614)
wandmagic Jul 30, 2024
0318c8f
Draft allowed values metaschema and YAML unit test.
DimitriZhurkin Jul 30, 2024
42c1ded
allowed value constraints (#622)
wandmagic Aug 20, 2024
f38cbbf
improve constraint coverage tests (#633)
wandmagic Aug 22, 2024
b1fa438
Add README.md to OSCAL CLI instructions (#636)
DimitriZhurkin Aug 29, 2024
c38c2b8
informational and warning constraint results (#635)
wandmagic Sep 3, 2024
89f6c35
Improve test runner and make commands (#649)
wandmagic Sep 4, 2024
2d07ca4
Incorporated additional comments from reviewers (issue 642)
DimitriZhurkin Aug 30, 2024
88d2f0f
Implemented further comments
DimitriZhurkin Sep 4, 2024
0144fc2
Implemented additional comments
DimitriZhurkin Sep 9, 2024
9bf9f0c
Add CONTRIBUTING guide for constraints portion of codebase (#647)
aj-stein-gsa Sep 10, 2024
b5f103b
Add back-matter constraints resource-has-{title,rlink} (#650)
Gabeblis Sep 10, 2024
0083f06
Update docs with docker install and other walkthrough improvements (#…
aj-stein-gsa Sep 10, 2024
7929a55
Feature/data center constraints (#639)
wandmagic Sep 10, 2024
3161598
Test GHCR integration with "in upstream" branch instead of fork with …
aj-stein-gsa Sep 11, 2024
ddd3a02
Add back-matter 'has' constraints (#654)
Gabeblis Sep 11, 2024
a1b0f27
Actions: tighten when docker build runs and how (#682)
aj-stein-gsa Sep 11, 2024
a528d61
Trigger push on master, dev, feature branches
aj-stein-gsa Sep 11, 2024
532c3d1
introduce security-sensitivity level constraints
wandmagic Sep 11, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Ignore everything
*
!/src/validations/constraints
78 changes: 77 additions & 1 deletion .github/workflows/content-artifacts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,10 @@ on:
push:
branches:
- master
- develop
- 'feature/**'
paths:
- Dockerfile
- "src/**"
- "oscal"
pull_request:
Expand All @@ -15,12 +18,23 @@ on:
name: Process Content
env:
HOME_REPO: GSA/fedramp-automation
IMAGE_NAME: GSA/fedramp-automation/validation-tools
REGISTRY: ghcr.io
# Docs: github.com/docker/metadata-action/?tab=readme-ov-file#typesha
DOCKER_METADATA_PR_HEAD_SHA: true
# https://github.com/docker/metadata-action?tab=readme-ov-file#annotations
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
jobs:
validate-and-publish-content:
name: Content Validation Checking, Conversion and Validation
runs-on: ubuntu-20.04
permissions:
contents: read
packages: write
attestations: write
id-token: write
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08
with:
path: git-content
submodules: recursive
Expand Down Expand Up @@ -53,3 +67,65 @@ jobs:
commit_user_name: OSCAL GitHub Actions Bot
commit_user_email: [email protected]
commit_author: OSCAL GitHub Actions Bot <[email protected]>
- if: github.repository == env.HOME_REPO
name: Container image QEMU setup for cross-arch builds
id: image_setup_qemu
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
- if: github.repository == env.HOME_REPO
name: Container image buildx setup for cross-arch builds
id: image_setup_buildx
with:
platforms: linux/amd64,linux/arm64
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
- if: github.repository == env.HOME_REPO
name: Container image login
id: image_login
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- if: github.repository == env.HOME_REPO
name: Container image metadata and tag generation
id: image_metadata
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images:
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=sha,prefix=,suffix=,format=long
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
# For now, do not auto-tag latest, maintainers will decided what is
# release-worthy.
flavor: |
latest=true
annotations:
maintainers="FedRAMP Automation Team <[email protected]>"
org.opencontainers.image.authors="FedRAMP Automation Team <[email protected]>"
org.opencontainers.image.documentation="https://automate.fedramp.gov"
org.opencontainers.image.source="https://github.com/GSA/fedramp-automation"
org.opencontainers.image.vendor="GSA Technology Transformation Services"
org.opencontainers.image.title="FedRAMP Validation Tools"
org.opencontainers.image.description="FedRAMP's tools for validating OSCAL data"
org.opencontainers.image.licenses="CC0-1.0"
- if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature'))
name: Container image registry push
id: image_registry_push
uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
with:
context: git-content
push: true
tags: ${{ steps.image_metadata.outputs.tags }}
labels: ${{ steps.image_metadata.outputs.annotations }}
platforms: linux/amd64,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max
- if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature'))
name: Container image push attestations
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
subject-digest: ${{ steps.image_registry_push.outputs.digest }}
push-to-registry: false
4 changes: 2 additions & 2 deletions .github/workflows/create-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@ on:
- "*"
jobs:
build-release:
runs-on: ubuntu-latest
runs-on: ubuntu-20.04

steps:
# Check-out the repository under $GITHUB_WORKSPACE
- uses: actions/checkout@v2
- uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08

- name: Read Node version from .nvmrc
run: echo "##[set-output name=NVMRC;]$(cat .nvmrc)"
Expand Down
59 changes: 23 additions & 36 deletions .github/workflows/run-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,64 +7,51 @@ on:
push:
branches:
- master
- develop
- 'feature/**' # This will match any branch starting with "feature"

pull_request:

# the job requires some dependencies to be installed (including submodules), runs the tests, and then reports results
jobs:
# one job that runs tests
run-tests:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, ubuntu-latest, windows-latest]
arch: [arm64, x86_64]

os: [ubuntu-20.04, windows-2022]
runs-on: ${{ matrix.os }}
# Checkout repository and its submodules
steps:
# Check-out the repository under $GITHUB_WORKSPACE
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08

- name: Set up Java
uses: actions/setup-java@67fbd726daaf08212a7b021c1c4d117f94a81dd3
with:
distribution: 'adopt'
java-version: '11'
- name: Read node version from `.nvmrc` file
id: nvmrc
shell: bash
run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)

- name: Install required node.js version
uses: actions/setup-node@v1
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b
with:
node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}

- name: Install required Python version
uses: actions/setup-python@v4
with:
python-version: "3.10"

# Initialize the workspace with submodules and dependencies.
- name: Initialize workspace
shell: bash
run: make init

# Compile Schematron to XSL.
- name: Compile Schematron
shell: bash
run: make build-validations

- name: Run complete test suite
shell: bash
if: runner.os == 'Linux'
- name: Install OSCAL CLI
run: |
make test

- name: Run limited test suite
make init-validations
- name: Run Cucumber tests
shell: bash
if: runner.os == 'Windows' || runner.os == 'macOS'
run: |
make test-validations test-web

- name: Build all
shell: bash
if: runner.os == 'Windows' || runner.os == 'macOS'
run: |
make build
make build-validations
- name : Publish all Junit XML tests results in Github Summary
uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
if: always()
with:
paths: |
**/reports/junit-*.xml

7 changes: 7 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ _site
.vscode
*.DS_Store
*.code-workspace
node_modules/
dist/validations
dist/web
documents/source
Expand All @@ -14,6 +15,10 @@ src/validations/report
src/validations/src/ssp.xsl
src/validations/target
utils
sarif/
dist/
# Hugo Files
/docs/public

# XSpec reports (from OxygenXML XSpec use)
src/validations/test/rules/poam-result.html
Expand All @@ -31,3 +36,5 @@ src/validations/test/rules/rev5/ssp-result.html
src/validations/test/rules/rev4/ssp-result.html
src/validations/test/rules/rev5/poam-result.html
src/validations/test/rules/rev5/sar-result.html
/reports
/sarif
2 changes: 1 addition & 1 deletion .nvmrc
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v18.15.0
v20.16.0
67 changes: 67 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
ARG MAVEN_IMAGE=maven:3.9.9-eclipse-temurin-22-alpine
ARG NODE_IMAGE=node:22-alpine3.20
ARG APK_EXTRA_ARGS
ARG WGET_EXTRA_ARGS
# Static analysis from docker build and push warns this is a secret, it is not.
# Per official developer instructions, it is necessary to verify the APK packages
# for Alpine or properly signed. This information is inherently public.
# https://adoptium.net/installation/linux/#_alpine_linux_instructions
ARG TEMURIN_APK_KEY_URL=https://packages.adoptium.net/artifactory/api/security/keypair/public/repositories/apk
ARG TEMURIN_APK_REPO_URL=https://packages.adoptium.net/artifactory/apk/alpine/main
ARG TEMURIN_APK_VERSION=temurin-22-jdk
ARG MAVEN_DEP_PLUGIN_VERSION=3.8.0
ARG OSCAL_CLI_VERSION=2.0.2
# Current public key ID for [email protected] releases of oscal-cli
# Static analysis from docker build and push warns this is a secret, it is not
# and is necessary to cross-ref the Maven GPG key for checking build signatures.
# https://keyserver.ubuntu.com/pks/lookup?search=0127D75951997E00&fingerprint=on&op=index
ARG OSCAL_CLI_GPG_KEY=0127D75951997E00
ARG OSCAL_JS_VERSION=1.4.4
ARG FEDRAMP_AUTO_GIT_URL=https://github.com/GSA/fedramp-automation.git
ARG FEDRAMP_AUTO_GIT_REF=feature/external-constraints
ARG FEDRAMP_AUTO_GIT_COMMIT

FROM ${MAVEN_IMAGE} as oscal_cli_downloader
ARG MAVEN_DEP_PLUGIN_VERSION
ARG OSCAL_CLI_VERSION
ARG OSCAL_CLI_GPG_KEY
ARG APK_EXTRA_ARGS
ARG WGET_EXTRA_ARGS
RUN apk add --no-cache gpg gpg-agent unzip && \
mkdir -p /opt/oscal-cli && \
mvn \
org.apache.maven.plugins:maven-dependency-plugin:${MAVEN_DEP_PLUGIN_VERSION}:copy \
-DoutputDirectory=/opt/oscal-cli \
-DremoteRepositories=https://repo1.maven.org/maven2 \
-Dartifact=dev.metaschema.oscal:oscal-cli-enhanced:${OSCAL_CLI_VERSION}:zip:oscal-cli && \
mvn \
org.apache.maven.plugins:maven-dependency-plugin:${MAVEN_DEP_PLUGIN_VERSION}:copy \
-DoutputDirectory=/opt/oscal-cli \
-DremoteRepositories=https://repo1.maven.org/maven2 \
-Dartifact=dev.metaschema.oscal:oscal-cli-enhanced:${OSCAL_CLI_VERSION}:zip.asc:oscal-cli && \
gpg --recv-keys ${OSCAL_CLI_GPG_KEY} && \
gpg -k ${OSCAL_CLI_GPG_KEY} && \
cd /opt/oscal-cli && \
gpg --verify *.zip.asc && \
unzip *.zip && \
rm -f *.zip && \
rm -f *.zip.asc

FROM ${NODE_IMAGE} as final
ARG OSCAL_JS_VERSION
ARG TEMURIN_APK_KEY_URL
ARG TEMURIN_APK_REPO_URL
ARG TEMURIN_APK_VERSION
ARG APK_EXTRA_ARGS
ARG WGET_EXTRA_ARGS
COPY --from=oscal_cli_downloader /opt/oscal-cli /opt/oscal-cli
RUN wget ${WGET_EXTRA_ARGS} -O /etc/apk/keys/adoptium.rsa.pub "${TEMURIN_APK_KEY_URL}" && \
echo "${TEMURIN_APK_REPO_URL}" >> /etc/apk/repositories && \
apk add ${APK_EXTRA_ARGS} --no-cache ${TEMURIN_APK_VERSION} && \
mkdir -p /opt/fedramp/oscaljs && \
mkdir -p /opt/fedramp/constraints && \
(cd /opt/fedramp/oscaljs && npm install oscal@${OSCAL_JS_VERSION})
COPY ./src/validations/constraints/*.xml /opt/fedramp/constraints/
ENV PATH="$PATH:/opt/oscal-cli/bin:/opt/fedramp/oscaljs/node_modules/.bin"
WORKDIR /opt/fedramp/constraints
ENTRYPOINT [ "/opt/oscal-cli/bin/oscal-cli" ]
37 changes: 35 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
export BASE_DIR=$(shell pwd)
OCI_REV_TAG=$(shell git rev-parse HEAD)

help:
@grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
Expand All @@ -13,7 +14,9 @@ include src/web/module.mk

all: clean build test ## Complete clean build with tests

init: init-repo init-validations init-web ## Initialize project dependencies
init: init-repo init-validations init-content init-web ## Initialize project dependencies

configure: init-validations

init-repo:
git submodule update --init --recursive
Expand All @@ -24,7 +27,13 @@ clean-dist: ## Clean non-RCS-tracked dist files
@echo "Cleaning dist..."
git clean -xfd dist

test: test-validations test-web test-examples ## Test all
clean-oci-image:
docker rmi -f \
validation-tools:$(OCI_REV_TAG) \
ghcr.io/gsa/fedramp-automation/validation-tools:$(OCI_REV_TAG) \
gsatts/validation-tools:$(OCI_REV_TAG) \

test: build-validations ## Test all

build: build-validations build-web dist ## Build all artifacts and copy into dist directory
# Copy validations
Expand All @@ -37,3 +46,27 @@ build: build-validations build-web dist ## Build all artifacts and copy into di

@echo '#/bin/bash\necho "Serving FedRAMP ASAP documentation at http://localhost:8000/..."\npython3 -m http.server 8000 --directory web/' > ./dist/serve-documentation
chmod +x ./dist/serve-documentation

build-oci-image:
docker build \
--build-arg APK_EXTRA_ARGS="--no-check-certificate" \
--build-arg WGET_EXTRA_ARGS="--no-check-certificate" \
-t validation-tools:$(OCI_REV_TAG) \
-t ghcr.io/gsa/fedramp-automation/validation-tools:$(OCI_REV_TAG) \
-t gsatts/validation-tools:$(OCI_REV_TAG) \
.

publish-oci-image:
docker tag \
validation-tools:$(OCI_REV_TAG) validation-tools:latest

docker tag \
ghcr.io/gsa/fedramp-automation/validation-tools:$(OCI_REV_TAG) \
ghcr.io/gsa/fedramp-automation/validation-tools:latest

docker tag \
gsatts/validation-tools:$(OCI_REV_TAG) \
gsatts/validation-tools:latest

docker push ghcr.io/gsa/fedramp-automation/validation-tools:$(OCI_REV_TAG)
docker push ghcr.io/gsa/fedramp-automation/validation-tools:latest
12 changes: 12 additions & 0 deletions cucumber.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"default": {
"requireModule": ["ts-node/register"],
"import": ["features/**/*.ts"],
"format": [
["junit", "reports/junit-constraints.xml"],
["html", "reports/constraints.html"]
],
"retry": 2,
"retryTagFilter": "@flaky"
}
}
Loading
Loading