Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: adds transformation from component definitions to assessment plans #36

Merged
merged 10 commits into from
Feb 14, 2025
Merged

feat: adds transformation from component definitions to assessment plans #36

merged 10 commits into from
Feb 14, 2025
+1,696 −253

Conversation

jpower432
Copy link
Member

@jpower432 jpower432 commented Jan 31, 2025
edited
Loading

Description

The main feature added in the ComponentDefinitionsToAssessmentPlan function that will take one or more OSCAL Component Definitions are populate an Assessment Plan.

  • A models package was added to support logic around specific OSCAL models or subsets (compliance-trestle partial equivalent)
  • A transformers package was added with logic for OSCAL to OSCAL transformations (compliance-trestle equivalent, but scoped to OSCAL-to-OSCAL only)
  • Logic updated in existing packages to support

Closes #32
To support oscal-compass/compliance-to-policy-go#43

Review Hints

  • Recommend to review each commit individually.
  • The Settings interface is remove and the RequirementsSettings struct is renamed to Settings because all other implementation were using the same type and methods to support the logic. An interface is not needed (yet) and can be added later if the use case arises.

How has this been tested?

  • Unit tests added to cover new logic

Types of changes

  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Quality assurance (all should be covered).

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing tests pass locally with my changes
  • All commits are signed-off.

@jpower432
feat: adds support for AssessmentPlan generation
acc848f 
Support for AssessmentPlan generation is added with inputs that
are intentionally flexible to allow AssessmentPlans to be populated
from SSPs or directly from ComponentDefinition data, if desired.

Signed-off-by: Jennifer Power <[email protected]>
@jpower432
feat: adds transformers pkg with initial CD to AP transformation
808ba2a 
Signed-off-by: Jennifer Power <[email protected]>
@jpower432
feat: adds function to create SampleMetadata
2333ce3 
All top-level OSCAL models use Metadata, this change centralizes the
creation of new metadata for consistency.

Signed-off-by: Jennifer Power <[email protected]>
@jpower432
refactor: updates ImplementationSettings to support new Setting types
f23c7fb 
All factory functions for creating different Setting types are grouped
together to make them easier to find. Statement-level support is also added
to ImplementationSettings and the factory function for creating Settings from
requirements is made private because there is some additional processing from the
implementation perspective that makes the standalone requirement Setting incomplete.

Signed-off-by: Jennifer Power <[email protected]>
@jpower432
feat: adds components to LocalDefinitions if SSP import is not set
d8d3556 
Signed-off-by: Jennifer Power <[email protected]>
@jpower432
feat: adds Settings from Assessment Activities
d757196 
Signed-off-by: Jennifer Power <[email protected]>
@jpower432
chore: updates copyright year on new packages
98de16f 
Signed-off-by: Jennifer Power <[email protected]>
@jpower432
Merge branch 'main' into feat/generate-assessment-plan
648bd2b
@jpower432 jpower432 mentioned this pull request Jan 31, 2025
Open
9 tasks
@jpower432 jpower432 marked this pull request as ready for review February 3, 2025 21:38
gvauter
gvauter approved these changes Feb 5, 2025
View reviewed changes
Copy link

@gvauter gvauter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - one small thought for a future task.

extensions/props.go Outdated Show resolved Hide resolved
@jpower432
Copy link
Member Author

jpower432 commented Feb 7, 2025
edited
Loading

@vikas-agarwal76 @degenaro @yana1205 @butler54
Adding some additional context on the approach here. Please let me know if you have feedback/questions:

  • The validation components are added under assessment assets. All original component properties are retained.
  • The DefinedComponents are transformed to SystemComponents as required an placed under LocalDefinitions for the Component Definition to Assessment Plan and the SSP import value is set to the standard REPLACE_ME string. All original component properties are retained.
  • An activity was added for each rule under Local Definitions where the relationship to controls from the Component Defintion control implementation is maintained and the checks were documented as activity steps.
  • The component is documented as an Assessment subject and the rule activity is associated.
  • Future Consideration: The defined activities could be used to populate the origin and subject information in Assessment Result Observations that are created from policy results.

hbraswelrh
hbraswelrh approved these changes Feb 7, 2025
View reviewed changes
Copy link

@hbraswelrh hbraswelrh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, left a minor comment. Tested locally.

generators/doc.go Outdated Show resolved Hide resolved
@jpower432 jpower432 mentioned this pull request Feb 11, 2025
Open
14 tasks
@vikas-agarwal76
Copy link
Member

@vikas-agarwal76 @degenaro @yana1205 @butler54 Adding some additional context on the approach here. Please let me know if you have feedback/questions:

  • The validation components are added under assessment assets. All original component properties are retained.
  • The DefinedComponents are transformed to SystemComponents as required an placed under LocalDefinitions for the Component Definition to Assessment Plan and the SSP import value is set to the standard REPLACE_ME string. All original component properties are retained.
  • An activity was added for each rule under Local Definitions where the relationship to controls from the Component Defintion control implementation is maintained and the checks were documented as activity steps.
  • The component is documented as an Assessment subject and the rule activity is associated.
  • Future Consideration: The defined activities could be used to populate the origin and subject information in Assessment Result Observations that are created from policy results.

@jpower432 I am not sure if acitivty corrsponds to each rule or the policy execution (which checks multiple rules). Same with associated activities in Tasks.

degenaro
degenaro approved these changes Feb 14, 2025
View reviewed changes
Copy link

@degenaro degenaro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jpower432
Copy link
Member Author

@jpower432 I am not sure if acitivty corrsponds to each rule or the policy execution (which checks multiple rules). Same with associated activities in Tasks.

@vikas-agarwal76 documenting the outcome of our discussion here:

The rule-driven activity approach is acceptable for now. If needed, we can refine Assessment Plan approach as it gets more use.

@jpower432 jpower432 merged commit 09243b5 into oscal-compass:main Feb 14, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@degenaro degenaro degenaro approved these changes

@gvauter gvauter gvauter approved these changes

@hbraswelrh hbraswelrh hbraswelrh approved these changes

@vikas-agarwal76 vikas-agarwal76 Awaiting requested review from vikas-agarwal76

@yana1205 yana1205 Awaiting requested review from yana1205

@butler54 butler54 Awaiting requested review from butler54

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OSCAL Component Definitions to Assessment Plan
5 participants
@jpower432 @vikas-agarwal76 @degenaro @gvauter @hbraswelrh