Is unique inventory assets (GSA#887)

* add is-unique for inventory assets

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: Rene Tshiteya <[email protected]>

* Update fedramp-external-constraints.xml

Co-authored-by: Gabeblis <[email protected]>

* Update src/validations/constraints/content/ssp-unique-inventory-item-asset-id-INVALID.xml

Co-authored-by: A.J. Stein <[email protected]>

* Update src/validations/constraints/content/ssp-unique-inventory-item-asset-id-INVALID.xml

Co-authored-by: A.J. Stein <[email protected]>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <[email protected]>

* Update src/validations/constraints/content/ssp-unique-inventory-item-asset-id-INVALID.xml

Co-authored-by: A.J. Stein <[email protected]>

* Update src/validations/constraints/content/ssp-unique-inventory-item-asset-id-INVALID.xml

Co-authored-by: A.J. Stein <[email protected]>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <[email protected]>

---------

Co-authored-by: Rene Tshiteya <[email protected]>
Co-authored-by: Gabeblis <[email protected]>
Co-authored-by: A.J. Stein <[email protected]>

features/fedramp_extensions.feature

@@ -211,6 +211,8 @@ Examples:
   | security-level-PASS.yaml |
   | security-sensitivity-level-matches-security-impact-level-FAIL.yaml |
   | security-sensitivity-level-matches-security-impact-level-PASS.yaml |
+  | unique-inventory-item-asset-id-FAIL.yaml |
+  | unique-inventory-item-asset-id-PASS.yaml |
   | user-has-authorized-privilege-FAIL.yaml |
   | user-has-authorized-privilege-PASS.yaml |
   | user-has-privilege-level-FAIL.yaml |
@@ -338,6 +340,7 @@ Examples:
   | scan-type |
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
+  | unique-inventory-item-asset-id |
   | user-has-authorized-privilege |
   | user-has-privilege-level |
   | user-has-role-id |

src/validations/constraints/content/ssp-unique-inventory-item-asset-id-INVALID.xml

@@ -0,0 +1,38 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <inventory-item uuid="77777777-0000-4000-9000-000000000007">
+      <description>
+        <p>Primary database server</p>
+      </description>
+      <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
+      <prop name="asset-type" value="database"/>
+      <prop name="allows-authenticated-scan" value="yes"/>
+      <prop name="public" value="no"/>
+      <prop name="virtual" value="yes"/>
+      <prop name="scan-type" value="database" ns="https://fedramp.gov/ns/oscal"/>
+      <responsible-party role-id="asset-owner">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-party>
+      <implemented-component component-uuid="55555555-0000-4000-9000-000000000005">
+        <prop name="asset-id" value="DB-001"/>
+      </implemented-component>
+    </inventory-item>
+    <inventory-item uuid="77777777-0000-4000-9000-000000000007">
+      <description>
+        <p>Primary database server</p>
+      </description>
+      <prop name="asset-id" value="DB-001" />
+      <prop name="asset-type" value="database"/>
+      <prop name="allows-authenticated-scan" value="yes"/>
+      <prop name="public" value="no"/>
+      <prop name="virtual" value="yes"/>
+      <prop name="scan-type" value="database" ns="https://fedramp.gov/ns/oscal"/>
+      <responsible-party role-id="asset-owner">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-party>
+      <implemented-component component-uuid="55555555-0000-4000-9000-000000000005">
+        <prop name="asset-id" value="DB-001" />
+      </implemented-component>
+    </inventory-item>
+  </system-implementation>
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -539,4 +539,18 @@
             </expect>
         </constraints>
     </context>
+    <context>
+        <metapath target="/system-security-plan/system-implementation"/>
+        <constraints>
+            <is-unique id="unique-inventory-item-asset-id" target="inventory-item/prop[@name='asset-id']">
+                <formal-name>Unique Asset Identifier</formal-name>
+                <description>Ensure each inventory item has a unique asset-id property.</description>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <key-field target="@value"/>
+                <remarks>
+                    <p>A FedRAMP SSP's inventory item MUST have an Asset ID that is unique across all inventory items in the system and its components.</p>
+                </remarks>
+            </is-unique>
+        </constraints>
+    </context>
 </metaschema-meta-constraints>

src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml

@@ -0,0 +1,11 @@
+test-case:
+  name: Negative Test for unique-inventory-item-asset-id
+  description: >-
+    This test case validates the behavior of constraint
+    unique-inventory-item-asset-id
+  content: ../content/ssp-unique-inventory-item-asset-id-INVALID.xml
+  expectations:
+    - constraint-id: unique-inventory-item-asset-id
+      fail_count:
+        type: "exact"
+        value: 1

src/validations/constraints/unit-tests/unique-inventory-item-asset-id-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for unique-inventory-item-asset-id
+  description: >-
+    This test case validates the behavior of constraint
+    unique-inventory-item-asset-id
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: unique-inventory-item-asset-id
+      result: pass