Add system-has-id constraint (#744)

* Add constraint and tests * Add help-url prop
GSA · Oct 4, 2024 · b9513d2 · b9513d2
1 parent 8301e38
commit b9513d2
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 0 deletions.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -103,6 +103,8 @@ Examples:
   | has-rules-of-behavior-PASS.yaml |
   | has-separation-of-duties-matrix-FAIL.yaml |
   | has-separation-of-duties-matrix-PASS.yaml |
+  | has-system-id-FAIL.yaml |
+  | has-system-id-PASS.yaml |
   | has-user-guide-FAIL.yaml |
   | has-user-guide-PASS.yaml |
   | information-type-system-FAIL.yaml |
@@ -198,6 +200,7 @@ Examples:
   | has-network-architecture-diagram-link-rel-allowed-value |
   | has-rules-of-behavior |
   | has-separation-of-duties-matrix |
+  | has-system-id |
   | has-user-guide |
   | information-type-system |
   | interconnection-direction |

diff --git a/src/validations/constraints/content/ssp-has-system-id-INVALID.xml b/src/validations/constraints/content/ssp-has-system-id-INVALID.xml
@@ -0,0 +1,5 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012">
+  <system-characteristics>
+    <system-id identifier-type="https://not-fedramp.gov">F00000001</system-id>
+  </system-characteristics>
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -137,6 +137,10 @@
             <expect id="has-data-flow-diagram-link-rel-allowed-value" target="system-characteristics/data-flow/diagram/link" test="@rel eq 'diagram'" level="ERROR">
                 <message>Each FedRAMP SSP data flow diagram must have a link rel attribute with the value "diagram".</message>
             </expect>
+            <expect id="has-system-id" target="system-characteristics" test="system-id[@identifier-type eq 'https://fedramp.gov']" level="ERROR">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-name-abbreviation-and-fedramp-unique-identifier"/>
+                <message>A FedRAMP SSP must have a FedRAMP system identifier.</message>
+            </expect>
         </constraints>
     </context>
     <context>

diff --git a/src/validations/constraints/unit-tests/has-system-id-FAIL.yaml b/src/validations/constraints/unit-tests/has-system-id-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-system-id
+  description: Test that a SSP system-characteristics system-id identifier-type attribute is not equal to 'https://fedramp.gov'.
+  content: ../content/ssp-has-system-id-INVALID.xml
+  expectations:
+    - constraint-id: has-system-id
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-system-id-PASS.yaml b/src/validations/constraints/unit-tests/has-system-id-PASS.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-system-id
+  description: Test that a SSP system-characteristics system-id identifier-type attribute is equal to 'https://fedramp.gov'.
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-system-id
+      result: pass