Skip to content

Commit

Permalink
add example usage of heterogeneous PVPs
Browse files Browse the repository at this point in the history
Signed-off-by: Takumi Yanagawa <[email protected]>
  • Loading branch information
yana1205 committed Jun 4, 2024
1 parent 2b0081c commit 9721932
Show file tree
Hide file tree
Showing 16 changed files with 1,763 additions and 10 deletions.
9 changes: 9 additions & 0 deletions .secrets.baseline
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,15 @@
"type": "Hex High Entropy String",
"verified_result": null
}
],
"plugins_public/tests/data/heterogeneous/auditree.json": [
{
"hashed_secret": "1e5c2f367f02e47a8c160cda1cd9d91decbac441",
"is_verified": false,
"line_number": 12,
"type": "Secret Keyword",
"verified_result": null
}
]
},
"version": "0.13.1+ibm.61.dss",
Expand Down
4 changes: 3 additions & 1 deletion c2p/tools/viewer/template.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
{% for rule_result in control_result.rule_results %}
{% if rule_result.subjects|length > 0 %}
Rule {{ rule_result.id}}: {{ rule_result.description}}
Rule `{{ rule_result.id}}`:
- {{ rule_result.description}}
<details><summary>Details</summary>
{% for subject in rule_result.subjects %}
Expand Down
17 changes: 12 additions & 5 deletions c2p/tools/viewer/viewer.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

from typing import List, Optional
from typing import Dict, List, Optional

from jinja2 import Template
from pydantic import BaseModel
Expand Down Expand Up @@ -73,15 +73,22 @@ def get_pass_fail_icon(result):


def render(assessment_results: AssessmentResults, component_definition: ComponentDefinition) -> str:
rule_sets = []
rule_sets_map: Dict[str, List[Dict[str, str]]] = {}
for component in component_definition.components:
if is_component_type_validation(component.type):
rule_sets = rule_sets + group_props_by_remarks(component)
rule_sets_map[component.title] = group_props_by_remarks(component)

components: List[DefinedComponent] = list(
filter(lambda x: not is_component_type_validation(x.type), component_definition.components)
)

def get_pvp_rule_pair(rule_id):
for pvp, rule_sets in rule_sets_map.items():
for rule in rule_sets:
if rule['Rule_Id'] == rule_id:
return (pvp, rule)
return None, None

render_components = []
for component in components:
rendered_component = RenderedComponent(title=component.title)
Expand All @@ -91,9 +98,9 @@ def render(assessment_results: AssessmentResults, component_definition: Componen
control_result = ControlResult(id=control_id)
for prop in filter(lambda x: x.name == 'Rule_Id', imple_req.props):
rule_id = prop.value
rule_set = next(filter(lambda x: x['Rule_Id'] == rule_id, rule_sets), None)
pvp, rule_set = get_pvp_rule_pair(rule_id)
if rule_set != None:
rule_result = RuleResult(id=rule_id, description=rule_set['Check_Description'])
rule_result = RuleResult(id=f'{rule_id} ({pvp})', description=rule_set['Check_Description'])
o = find_observation(assessment_results.results[0].observations, rule_set['Check_Id'])
if o != None:
for subject in o.subjects:
Expand Down
47 changes: 47 additions & 0 deletions docs/public/heterogeneous.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
## Work on heterogeneous PVPs

Usecase of security checks against system (Github and Managed Kubernetes clusters) by multiple PVPs (Auditree, Kyverno, and OCM Policy).

![heterogeneous](https://github.com/oscal-compass/compliance-to-policy/assets/113283236/bb64f81a-986c-41fa-83c6-4e7e9165af76)

#### Steps
1. (Optional) Create OSCAL Component Defintion including multiple PVPs as validation components
- [component-definition.csv](/plugins_public/tests/data/heterogeneous/component-definition.csv)
1. Generate PVP policies from the OSCAL Component Definition
```
python samples_public/heterogeneous/compliance_to_policy.py \
-c ./plugins_public/tests/data/heterogeneous/component-definition.json \
-o ./policies
```
1. Policies for each PVP are generated
```
$ tree -L 2 policies
policies
├── auditree
│ └── auditree.json
├── kyverno
│ ├── allowed-base-images
│ └── disallow-capabilities
└── ocm
├── kustomization.yaml
├── parameters.yaml
├── policy-deployment
├── policy-disallowed-roles
├── policy-generator.yaml
└── policy-high-scan
```
1. (Optional) Collect policy validation results from system
- Example all PVP results are located in [/plugins_public/tests/data](/plugins_public/tests/data).
1. Generate OSCAL Assessment Results from PVP results
```
python samples_public/heterogeneous/result_to_compliance.py \
-c ./plugins_public/tests/data/heterogeneous/component-definition.json \
-r ./plugins_public/tests/data > assessment-results.json
```
1. OSCAL Assessment Results is not human readable format. You can see the merged report in markdown by a quick viewer.
```
c2p tools viewer \
-cdef ./plugins_public/tests/data/heterogeneous/component-definition.json \
-ar assessment-results.json
```
e.g. [result.md](/docs/public/heterogeneous.result.md)
Loading

0 comments on commit 9721932

Please sign in to comment.