From 2ae314a979f9f5da62452ddbae8788b4f1ca5033 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Fri, 6 Dec 2024 15:59:05 +0000
Subject: [PATCH 1/3] Add 'used-by-link-references-component' constraint

---
 features/fedramp_extensions.feature                   |  3 +++
 .../ssp-used-by-link-references-component-INVALID.xml | 11 +++++++++++
 .../constraints/fedramp-external-constraints.xml      |  5 +++++
 .../used-by-link-references-component-FAIL.yaml       |  9 +++++++++
 .../used-by-link-references-component-PASS.yaml       |  9 +++++++++
 5 files changed, 37 insertions(+)
 create mode 100644 src/validations/constraints/content/ssp-used-by-link-references-component-INVALID.xml
 create mode 100644 src/validations/constraints/unit-tests/used-by-link-references-component-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/used-by-link-references-component-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 423497d98..68f7d9687 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -137,6 +137,7 @@ Examples:
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
   | unique-inventory-item-asset-id |
+  | used-by-link-references-component |
   | user-authentication |
   | user-has-authorized-privilege |
   | user-has-role-id |
@@ -385,6 +386,8 @@ Examples:
   | security-sensitivity-level-matches-security-impact-level-PASS.yaml |
   | unique-inventory-item-asset-id-FAIL.yaml |
   | unique-inventory-item-asset-id-PASS.yaml |
+  | used-by-link-references-component-FAIL.yaml |
+  | used-by-link-references-component-PASS.yaml |
   | user-authentication-FAIL.yaml |
   | user-authentication-PASS.yaml |
   | user-has-authorized-privilege-FAIL.yaml |
diff --git a/src/validations/constraints/content/ssp-used-by-link-references-component-INVALID.xml b/src/validations/constraints/content/ssp-used-by-link-references-component-INVALID.xml
new file mode 100644
index 000000000..1b56f1fef
--- /dev/null
+++ b/src/validations/constraints/content/ssp-used-by-link-references-component-INVALID.xml
@@ -0,0 +1,11 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <!-- <component uuid="11111111-2222-4000-8000-009000000000" type="service">
+    </component> Missing the referenced component in the used-by link.-->
+    <component uuid="11111111-2222-4000-8000-009000200001" type="service">
+      <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"/>
+      <protocol name="ftp" uuid="11111111-2222-4000-8000-010000000001">
+      </protocol>
+    </component>
+  </system-implementation>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index af7ae5b20..67d3a8491 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -564,6 +564,11 @@
                     <p>A FedRAMP SSP's inventory item MUST have an Asset ID that is unique across all inventory items in the system and its components.</p>
                 </remarks>
             </is-unique>
+            <expect id="used-by-link-references-component" target="component[protocol]/link[@rel='used-by']" test="some $uuid in ../../component/@uuid satisfies $uuid = substring-after(@href, '#')" level="ERROR">
+                <formal-name>Used-By Link References Component</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#ports-protocols-and-services"/>
+                <message>A FedRAMP SSP's component MUST reference components that use it via network communication. Component "{ string(../@uuid) }" references a nonexistent component "{@href}".</message>
+            </expect>
         </constraints>
     </context>
 
diff --git a/src/validations/constraints/unit-tests/used-by-link-references-component-FAIL.yaml b/src/validations/constraints/unit-tests/used-by-link-references-component-FAIL.yaml
new file mode 100644
index 000000000..1f595610c
--- /dev/null
+++ b/src/validations/constraints/unit-tests/used-by-link-references-component-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for used-by-link-references-component
+  description: >-
+    This test case validates the behavior of constraint
+    used-by-link-references-component
+  content: ../content/ssp-used-by-link-references-component-INVALID.xml
+  expectations:
+    - constraint-id: used-by-link-references-component
+      result: fail
diff --git a/src/validations/constraints/unit-tests/used-by-link-references-component-PASS.yaml b/src/validations/constraints/unit-tests/used-by-link-references-component-PASS.yaml
new file mode 100644
index 000000000..11c276fad
--- /dev/null
+++ b/src/validations/constraints/unit-tests/used-by-link-references-component-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for used-by-link-references-component
+  description: >-
+    This test case validates the behavior of constraint
+    used-by-link-references-component
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: used-by-link-references-component
+      result: pass

From a4d368d9270253a81532ce82c3a1eacdf98c50e4 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Fri, 6 Dec 2024 12:13:33 -0500
Subject: [PATCH 2/3] Fix message

Co-authored-by: Kylie Hunter <kylie.hunter@gsa.gov>
---
 src/validations/constraints/fedramp-external-constraints.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 67d3a8491..f467845db 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -567,7 +567,7 @@
             <expect id="used-by-link-references-component" target="component[protocol]/link[@rel='used-by']" test="some $uuid in ../../component/@uuid satisfies $uuid = substring-after(@href, '#')" level="ERROR">
                 <formal-name>Used-By Link References Component</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#ports-protocols-and-services"/>
-                <message>A FedRAMP SSP's component MUST reference components that use it via network communication. Component "{ string(../@uuid) }" references a nonexistent component "{@href}".</message>
+                <message>A FedRAMP SSP's component MUST reference the existing component(s) that use it via network communication. However, component "{ string(../@uuid) }" references a nonexistent component "{@href}".</message>
             </expect>
         </constraints>
     </context>

From 222be66b4439dc4732e316930bfe3d59ec38b40a Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Fri, 6 Dec 2024 14:05:20 -0500
Subject: [PATCH 3/3] fix message

Co-authored-by: DimitriZhurkin <dimitri.zhurkin@noblis.org>
---
 src/validations/constraints/fedramp-external-constraints.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index f467845db..61e439248 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -567,7 +567,7 @@
             <expect id="used-by-link-references-component" target="component[protocol]/link[@rel='used-by']" test="some $uuid in ../../component/@uuid satisfies $uuid = substring-after(@href, '#')" level="ERROR">
                 <formal-name>Used-By Link References Component</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#ports-protocols-and-services"/>
-                <message>A FedRAMP SSP's component MUST reference the existing component(s) that use it via network communication. However, component "{ string(../@uuid) }" references a nonexistent component "{@href}".</message>
+                <message>A FedRAMP SSP's component MUST reference the existing component(s) that use it via network communication. However, component "{../@uuid}" references a nonexistent component "{@href}".</message>
             </expect>
         </constraints>
     </context>