Adjust Constraint Target For 'inventory-item-has-vendor-name' (#1099)

GSA · Jan 16, 2025 · 63d3424 · 63d3424
1 parent c0df306
commit 63d3424
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/validations/constraints/content/ssp-inventory-item-has-vendor-name-INVALID.xml b/src/validations/constraints/content/ssp-inventory-item-has-vendor-name-INVALID.xml
@@ -1,6 +1,6 @@
 <system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
   <system-implementation>
-    <component uuid="11111111-2222-4000-8000-009000000007" type="process-procedure">
+    <component uuid="11111111-2222-4000-8000-009000000007" type="software">
       <!-- <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/> Missing software-name in linked component-->
     </component>
     <inventory-item uuid="11111111-2222-4000-8000-011000000001">

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -729,7 +729,7 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, each inventory item that has a MAC address MUST format the MAC address correctly.</message>
             </expect>
-            <expect id="inventory-item-has-vendor-name" target="." test="count(prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=$component-uuid]/prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
+            <expect id="inventory-item-has-vendor-name" target=".[../component[@uuid=$component-uuid and @type=('hardware','software')]]" test="count(prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=$component-uuid]/prop[@name='vendor-name' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
                 <formal-name>Inventory Item Has Vendor Name</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, each inventory item MUST include the vendor name in the inventory item itself or within the linked component.</message>