833 oscal version constraint #884
Conversation
kyhu65867
force-pushed
the
833-oscal-version
branch
2 times, most recently
from
03ec0e4 to
6f2ead3
Compare
aj-stein-gsa
force-pushed
the
833-oscal-version
branch
from
6f2ead3 to
d37d0dd
Compare
|
@kyhu65867 I beefed it up and think it works before I mark it anymore complicated. Let me know what you think, especially the tests. I may have to abstain from review, but hope our colleagues roast me and show you that no one is sacred during review. 😄 |
|
I add myself not just because I contributed but I want honest feedback and review from others since I did my fair share on this one, I should have to defend it with Kylie. |
There was a problem hiding this comment.
I think this is a good start. My biggest issue with this is the FedRAMP versions. Right now we have only 1 version with its minimum required OSCAL version hardcoded. Are there different versions? If not, we could simplify this constraint a lot. Simply changing the FedRAMP version at all breaks this constraint.
src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-FAIL.yaml
Outdated
Show resolved
Hide resolved
| expression="if (empty($doc-fedramp-version/@value)) | ||
| then map:get($fedramp-minimum-oscal-versions, $preferred-version) |
There was a problem hiding this comment.
We already have a constraint that checks and requires the existence of the fedramp-version prop. I am not sure adding a default value in the case of the missing prop is what we want to do here.
There was a problem hiding this comment.
If not you will get null pointer exceptions when you dereference other elements, so I was curious how others would consider appropriate for the balancing act. I appreciate the feedback.
There was a problem hiding this comment.
The first thing that comes to mind is creating a let expression that checks for the existence of the prop. If it doesn't exist, assign some null value. Add that check as part of the other let expressions: if (true) then do something... else null value. Then in the constraint test just check that the value isn't null and all the other conditions are still truthy
There was a problem hiding this comment.
OK, I can keep that in mind.
There was a problem hiding this comment.
One more thing about the current implementation is that in the case that no FedRAMP version is included, it incorrectly results in a pass because of the way it defaults to a certain value.
There was a problem hiding this comment.
Oh I moved it back to in progress because I was not done addressing your other feedback, sir. I did not forget!
There was a problem hiding this comment.
Apologies. It just hit me that I forgot to mention that yesterday is all 🤕
aj-stein-gsa
force-pushed
the
833-oscal-version
branch
3 times, most recently
from
f13dd5c to
cf00d2b
Compare
| expression="if (empty($doc-fedramp-version/@value)) | ||
| then map:get($fedramp-minimum-oscal-versions, $preferred-version) |
There was a problem hiding this comment.
One more thing about the current implementation is that in the case that no FedRAMP version is included, it incorrectly results in a pass because of the way it defaults to a certain value.
Co-authored-by: Gabeblis <[email protected]>
aj-stein-gsa
force-pushed
the
833-oscal-version
branch
from
44ccc2a to
8199128
Compare
aj-stein-gsa
force-pushed
the
833-oscal-version
branch
from
8199128 to
3a5cd76
Compare
Committer Notes
{Please provide a description of what this PR accomplishes. Be sure to reference any issues addressed. If the PR is a work-in-progress submitted for early review, please submit the PR as a draft PR using the "Draft pull request" dropdown.}
All Submissions:
By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.