Feature/poam link

features/fedramp_extensions.feature

@@ -92,6 +92,7 @@ Examples:
   | has-network-architecture-diagram-link-href-target |
   | has-network-architecture-diagram-link-rel |
   | has-network-architecture-diagram-link-rel-allowed-value |
+  | has-poam-resource |
   | has-published-date |
   | has-required-parameters |
   | has-required-response-points |
@@ -147,6 +148,11 @@ Examples:
   | scan-type |
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
+  | ssp-component-has-poam-link |
+  | ssp-poam-item-exists |
+  | ssp-poam-link-has-resource-fragment |
+  | ssp-poam-link-references-valid-resource |
+  | ssp-poam-resource-has-oscal-link |
   | statement-has-this-system-component |
   | unique-inventory-item-asset-id |
   | used-by-link-references-component |
@@ -308,6 +314,8 @@ Examples:
   | has-network-architecture-diagram-link-rel-PASS.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml |
+  | has-poam-resource-FAIL.yaml |
+  | has-poam-resource-PASS.yaml |
   | has-published-date-FAIL.yaml |
   | has-published-date-PASS.yaml |
   | has-required-parameters-FAIL.yaml |
@@ -418,6 +426,16 @@ Examples:
   | security-level-PASS.yaml |
   | security-sensitivity-level-matches-security-impact-level-FAIL.yaml |
   | security-sensitivity-level-matches-security-impact-level-PASS.yaml |
+  | ssp-component-has-poam-link-FAIL.yaml |
+  | ssp-component-has-poam-link-PASS.yaml |
+  | ssp-poam-item-exists-FAIL.yaml |
+  | ssp-poam-item-exists-PASS.yaml |
+  | ssp-poam-link-has-resource-fragment-FAIL.yaml |
+  | ssp-poam-link-has-resource-fragment-PASS.yaml |
+  | ssp-poam-link-references-valid-resource-FAIL.yaml |
+  | ssp-poam-link-references-valid-resource-PASS.yaml |
+  | ssp-poam-resource-has-oscal-link-FAIL.yaml |
+  | ssp-poam-resource-has-oscal-link-PASS.yaml |
   | statement-has-this-system-component-FAIL.yaml |
   | statement-has-this-system-component-PASS.yaml |
   | unique-inventory-item-asset-id-FAIL.yaml |

features/steps/fedramp_extensions_steps.ts

@@ -15,6 +15,7 @@ import { dirname, join,parse, resolve } from "path";
 import { Exception, Log, Result } from "sarif";
 import { fileURLToPath } from "url";
 import { parseString } from "xml2js";
+import {JSDOM} from 'jsdom'
 import { promisify } from "util";
 import {formatSarifOutput} from 'oscal'
 let executor: 'oscal-cli'|'oscal-server' = process.env.OSCAL_EXECUTOR as 'oscal-cli'|'oscal-server' || 'oscal-cli'
@@ -335,10 +336,7 @@ async function checkConstraints(
       if (constraintResults.length === 0) {
         errors.push(
           `Constraint rule not found: ${constraint_id}. The constraint may not be applicable to this content, or there was a runtime error.`
-        );
-        const sarifErrors=formatSarifOutput(sarifOutput)
-        !errors.includes(sarifErrors) && errors.push(sarifErrors)
-
+        );        
         continue;
       }
 
@@ -686,47 +684,54 @@ Then('I should have valid results {string}', async function (fileToValidate) {
   expect(isValid,formatSarifOutput(log)).to.be.true;
 });
 
-
 Then('I should verify that all constraints follow the style guide constraint', async function () {
   const baseDir = join(__dirname, '..', '..');
   const constraintDir = join(baseDir, 'src', 'validations', 'constraints');
-  const styleGuidePath = join(baseDir, 'src', 'validations', 'styleguides', 'fedramp-constraint-style.xml');
-
-  const constraint_files = readdirSync(constraintDir).filter((file) => file.startsWith('fedramp') && file.endsWith('xml') );
-  const errors = [];
+  const constraintFiles = readdirSync(constraintDir).filter(file => 
+    file.startsWith('fedramp') && file.endsWith('.xml')
+  );
 
-  function filterOutBrackets(input) {
-    return input.replace(/\[.*?\]/g, '');
-  }
+  const errors: string[] = [];
+  const compareIds = (a: string, b: string) => a.localeCompare(b, undefined, { numeric: true });
 
-  for (const file_name of constraint_files) {
-    const filePath = join(constraintDir, file_name.trim());
+  for (const fileName of constraintFiles) {
+    const filePath = join(constraintDir, fileName);
+
     try {
-      const {isValid,log} = await validateDocument(filePath,{flags:['disable-schema'],quiet,extensions:[styleGuidePath],module:"http://csrc.nist.gov/ns/oscal/metaschema/1.0"},executor)
-      writeFileSync(
-        join(
-          __dirname,
-          "../../sarif/",
-          file_name.split(".xml").join("").toString()+".sarif"
-        ),JSON.stringify(log, null,"\t"))  
-      const formattedErrors = (formatSarifOutput(log));
-
-      !quiet && console.log(`Validation result for ${file_name}:`, isValid?"valid":"invalid");
-      if (!isValid) {
-        console.error("\n"+formattedErrors);
-      }
-      if (!isValid) {
-        errors.push(`Style guide validation found errors in ${file_name}:\n ${formatSarifOutput(log)}`);
+      const fileContent = readFileSync(filePath, 'utf8');
+      const dom = new JSDOM(fileContent, { contentType: 'text/xml' });
+      const document = dom.window.document;
+
+      const constraintsNodes = document.querySelectorAll('constraints');
+      for (const constraintsNode of constraintsNodes) {
+        const constraints = Array.from(constraintsNode.querySelectorAll('[id]'));
+        const sortedConstraints = [...constraints].sort((a, b) => 
+          compareIds(a.getAttribute('id') || '', b.getAttribute('id') || '')
+        );
+
+
+        for (let i = 0; i < constraints.length - 1; i++) {
+          const currentId = constraints[i].getAttribute('id') || '';
+          const nextId = constraints[i + 1].getAttribute('id') || '';
+          const shouldComeAfter = sortedConstraints[i].getAttribute('id');
+
+          if (compareIds(currentId, nextId) > 0) {
+            const line = fileContent.substring(0, fileContent.indexOf(currentId)).split('\n').length;
+            errors.push(
+              `[ERROR] frr103 ${fileName}:${line}: "${currentId}" is out of order. It should come after "${shouldComeAfter}"`
+            );
+          }
+        }
       }
     } catch (error) {
-      errors.push(`Error processing ${file_name}: ${error}`);
+      errors.push(`Error processing ${fileName}: ${error instanceof Error ? error.message : String(error)}`);
     }
   }
 
-  // Display all errors at the end
   if (errors.length > 0) {
-    console.error("Validation errors found:");
+
+    console.error('Validation errors found:\n' + errors.join('\n'));
   }
 
-  expect(errors, "No style guide validation errors should be found").to.be.empty;
+  expect(errors, 'No style guide validation errors should be found\n'+errors.join("\n")).to.be.empty;
 });

src/content/rev5/examples/ssp/xml/fedramp-poam-example.oscal.xml

@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<plan-of-action-and-milestones uuid="714210d2-f8df-448c-be3e-e2213816cf79"
+    xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_poam_schema.xsd">
+    <metadata>
+        <title>Plan of Action and Milestones for Service B</title>
+        <last-modified>2024-12-12T13:57:28.355446-04:00</last-modified>
+        <version>1.0</version>
+        <oscal-version>1.1.2</oscal-version>
+        <prop name="marking" value="cui"/>
+        <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-1.1.2"/>
+    </metadata>
+
+    <import-ssp href="fedramp-ssp-example.oscal.xml"/>
+
+    <system-id identifier-type="http://ietf.org/rfc/rfc4122">8101e04d-8305-4e73-bb95-6b59f645b143</system-id>
+
+    <observation uuid="b807eb6e-0c05-43bc-8438-799739615e35">
+        <title>Non-Authorized Service Assessment - Service B</title>
+        <description>
+            <p>Assessment of non-authorized Service B provided by Awesome Cloud for security controls and risk evaluation.</p>
+        </description>
+        <method>EXAMINE</method>
+        <type>finding</type>
+        <subject subject-uuid="11111111-2222-4000-8000-009000500002" type="component"/>
+        <collected>2024-12-12T13:00:00-04:00</collected>
+        <remarks>
+            <p>Service B is being utilized without explicit FedRAMP authorization coverage. While the service implements TLS 1.3 for connection security and includes authentication controls, its use outside the authorized service boundary requires risk assessment and continuous monitoring.</p>
+        </remarks>
+    </observation>
+
+    <risk uuid="485cfb95-20c7-45b0-991c-3f86a8e0cbd4">
+        <title>Use of Non-Authorized Service B from Awesome Cloud</title>
+        <description>
+            <p>Service B is being utilized from the Awesome Cloud environment but is not included within the explicit FedRAMP authorization boundary. This requires risk assessment and ongoing monitoring to ensure security controls are adequate.</p>
+        </description>
+        <statement>
+            <p>The use of non-authorized services, even from an authorized cloud provider, introduces potential security risks if not properly assessed and monitored. While Service B implements security controls including TLS 1.3 and authentication mechanisms, its operation outside the FedRAMP authorized boundary requires additional scrutiny and continuous risk management.</p>
+        </statement>
+        <status>open</status>
+        <characterization>
+            <origin>
+                <actor type="tool" actor-uuid="e7730080-71ce-4b20-bec4-84f33136fd58"/>
+            </origin>
+            <facet name="likelihood" value="moderate" system="https://fedramp.gov/ns/oscal"/>
+            <facet name="impact" value="moderate" system="https://fedramp.gov/ns/oscal"/>
+        </characterization>
+        <deadline>2025-03-31T04:59:00-05:00</deadline>
+        <response uuid="b28873f7-0a45-476d-9cd3-1d2ec0b8bca2" lifecycle="planned">
+            <title>Service B Security Assessment and Documentation</title>
+            <description>
+                <p>A comprehensive security assessment of Service B will be conducted to include:</p>
+                <ul>
+                    <li>Detailed documentation of security controls and their effectiveness</li>
+                    <li>Validation of TLS 1.3 implementation</li>
+                    <li>Review of authentication mechanisms</li>
+                    <li>Assessment of data protection measures</li>
+                    <li>Development of continuous monitoring procedures</li>
+                </ul>
+            </description>
+            <prop name="type" value="mitigate"/>
+            <task uuid="f8b1d4cb-d1a9-4932-9859-2e93b325f288" type="milestone">
+                <title>Complete Security Assessment of Service B</title>
+                <description>
+                    <p>Conduct full security assessment and document findings, including recommendations for additional controls if needed.</p>
+                </description>
+                <timing>
+                    <within-date-range start="2025-01-01T09:00:00-04:00" end="2025-03-31T17:00:00-04:00"/>
+                </timing>
+            </task>
+        </response>
+        <related-observation observation-uuid="b807eb6e-0c05-43bc-8438-799739615e35"/>
+    </risk>
+    <finding uuid="b807eb6e-0c05-43bc-8438-799739615e31">
+        <title>example finding</title>
+        <description>
+            <p>finding description</p>
+        </description>
+        <origin>
+            <actor type="autonmous" actor-uuid="1237eb6e-0c05-43bc-8438-799739615e31"></actor>
+        </origin>
+        <target type="self" target-id="c807eb6e-0c05-43bc-8438-799739615e31">
+            <description>
+                <p>example target description</p>
+            </description>
+            <status state="new"/>
+        </target>
+    </finding>
+    <poam-item uuid="b953b9fc-7e7e-410d-989b-c065d0a458d3">
+        <title>example poam item</title>
+        <description>
+            <p>poam item description</p>
+        </description>
+        <associated-risk risk-uuid="485cfb95-20c7-45b0-991c-3f86a8e0cbd4" />
+    </poam-item>
+</plan-of-action-and-milestones>

src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml

@@ -1115,8 +1115,7 @@ leveraged-authorization assembly:</p>
       </prop>
       <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="incoming" value="C.3.5.1"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="outgoing" value="C.3.5.8"/>
-      <prop name="poam-item-uuid" ns="http://fedramp.gov/ns/oscal" value="11111111-3333-4000-8000-000000000001"/>
-      <prop name="poam-id" ns="http://fedramp.gov/ns/oscal" value="ID-0001"/>
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
       <link rel="provided-by" href="#11111111-2222-4000-8000-009000100001"/>
       <status state="operational"/>
       <responsible-role role-id="admin">
@@ -1217,6 +1216,7 @@ leveraged-authorization assembly:</p>
       <prop ns="http://fedramp.gov/ns/oscal" name="ipv6-address" class="remote" value="::ffff:10.2.2.3"/>
 
       <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"/>
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
 
       <status state="operational"/>
 
@@ -1314,6 +1314,7 @@ for connectivity (e.g., system monitoring, system alerting, download updates, et
       <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"/>
       <link rel="used-by" href="#11111111-2222-4000-8000-009000100002"/>
 
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
 
 
       <status state="operational"/>
@@ -1385,6 +1386,7 @@ the system POC roles reference parties that represent the connection provider.</
       <prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="isa"/>
       <prop name="implementation-point" value="external"/>
       <prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001"/>
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
 
       <status state="operational"/>
 
@@ -1447,6 +1449,8 @@ or as a result to the leveraged system's OSCAL-based SSP.</p>
       </prop>
       <link rel="provided-by" href="#11111111-2222-4000-8000-009000100003"/>
       <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"/>
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
+
       <status state="operational"/>
 
       <responsible-role role-id="leveraged-authorization-users">
@@ -1546,6 +1550,7 @@ leveraged-authorization assembly:</p>
       </prop>
 
       <!-- <link href="11111111-2222-4000-8000-009000000000" rel="used-by"/> -->
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
       <link rel="api" href="https://api.example.com/v1"/>
       <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"/>
       <status state="operational"/>
@@ -1627,6 +1632,7 @@ property.</p>
           <p/>
         </remarks>
       </prop>
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
       <link rel="provided-by" href="#11111111-2222-4000-8000-009000100001"/>
       <status state="operational"/>
       <responsible-role role-id="provider">
@@ -1649,6 +1655,7 @@ property.</p>
         <p>Describe the service and what it is used for.</p>
       </description>
       <prop name="implementation-point" value="internal"/>
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
       <status state="operational"/>
     </component>
 
@@ -1674,6 +1681,7 @@ compliance (e.g., Module in Process).</p>
       <prop name="validation-type" value="fips-140-2"/>
       <!-- Provide the certificate number (CMVP #) -->
       <prop name="validation-reference" value="3928"/>
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
       <link rel="validation-details" href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3928"/>
       <status state="operational"/>
     </component>
@@ -1693,6 +1701,7 @@ compliance (e.g., Module in Process).</p>
       <prop name="validation-type" value="fips-140-3"/>
       <!-- Provide the certificate number (CMVP #) -->
       <prop name="validation-reference" value="3920"/>
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
       <link rel="validation-details" href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3920"/>
       <status state="operational"/>
     </component>
@@ -1779,6 +1788,7 @@ compliance (e.g., Module in Process).</p>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop name="baseline-configuration-name" value="Baseline Config. Name"/>
       <prop name="allows-authenticated-scan" value="yes"/>
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
       <status state="operational"/>
     </component>
     <component uuid="11111111-2222-4000-8000-009000300005" type="service">
@@ -1808,6 +1818,7 @@ compliance (e.g., Module in Process).</p>
       <prop ns="http://fedramp.gov/ns/oscal" name="ipv4-address" class="remote" value="10.2.2.4"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="ipv6-address" class="remote" value="::ffff:10.2.2.4"/>
 
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
 
       <link href="#11111111-2222-4000-8000-009000500006" rel="used-by"/>
       <status state="operational"/>
@@ -2202,6 +2213,7 @@ approved.</p>
       <!-- <prop name="ipv4-address" value="10.10.20.0/24"/> -->
       <!-- is-scanned prop applies to inventory-item (not component) -->
       <!-- <prop name="is-scanned" value="yes"/> -->
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
       <status state="operational"/>
     </component>
     <component type="service" uuid="11111111-2222-4000-8000-009000500006">
@@ -2225,7 +2237,7 @@ approved.</p>
       <prop ns="http://fedramp.gov/ns/oscal" name="ipv6-address" class="local" value="::ffff:10.1.1.5"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="ipv4-address" class="remote" value="10.2.2.5"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="ipv6-address" class="remote" value="::ffff:10.2.2.5"/>
-
+      <link href='#11111111-2222-4000-8000-001000000048' rel='poam-item' resource-fragment="b953b9fc-7e7e-410d-989b-c065d0a458d3"/>
       <link href="#11111111-2222-4000-8000-009000500005" rel="used-by"/>
       <!-- is-scanned prop applies to inventory-item (not component) -->
       <!-- <prop name="is-scanned" value="yes"/> -->
@@ -9050,6 +9062,7 @@ FedRAMP PMO.</p>
       <prop name="type" value="plan" class="poam"/>
       <rlink href="./attachments/POAMs/SAMPLE_POAM_20230531.xml" media-type="=application/xml"/>
       <rlink href="./attachments/POAMs/SAMPLE_POAM_20230531.xlsx" media-type="application/vnd.ms-excel"/>
+      <rlink media-type="application/oscal+xml" href="fedramp-poam-example.oscal.xml"/>
       <base64 filename="SAMPLE_POAM_20230531.xml" media-type="application/xml">00000000</base64>
       <!-- Todo: Fix Schematron. Make base64 optional -->
     </resource>