Merge pull request #178 from 18F/develop

Merge sprint 6 to master

Author: danielnaab

.github/workflows/content-artifacts.yml

@@ -12,8 +12,8 @@ on:
       - master
 name: Process Content
 env:
-  OSCAL_DIR_PATH: oscal
-  CICD_DIR_PATH: oscal/build/ci-cd
+  OSCAL_DIR_PATH: vendor/oscal
+  CICD_DIR_PATH: vendor/oscal/build/ci-cd
   CONTENT_CONFIG_PATH: src/config
   SAXON_VERSION: 9.9.0-1
   HOME_REPO: GSA/fedramp-automation
@@ -26,6 +26,10 @@ jobs:
         with:
           path: git-content
           submodules: recursive
+          # Only update `fetch-depth` for debugging on branches.
+          # If not, this action cannot see other branches for names for the PR to push back changes.
+          # So, on PR branches without this, you will have errors.
+          # fetch-depth: 0
       # job-validate-content
       - name: Update APT package metadata
         run: |
@@ -56,10 +60,11 @@ jobs:
       # job-copy-and-convert-content
       - name: Auto-convert Content
         run:
-          bash "${GITHUB_WORKSPACE}/git-content/${CICD_DIR_PATH}/copy-and-convert-content.sh" -v -o "${GITHUB_WORKSPACE}/git-content/${OSCAL_DIR_PATH}" -a "${GITHUB_WORKSPACE}/git-content" -c "${GITHUB_WORKSPACE}/git-content/${CONTENT_CONFIG_PATH}" -w "${GITHUB_WORKSPACE}/git-content" --resolve-profiles
+          bash "${GITHUB_WORKSPACE}/git-content/${CICD_DIR_PATH}/copy-and-convert-content.sh" -v -o "${GITHUB_WORKSPACE}/git-content/${OSCAL_DIR_PATH}" -a "${GITHUB_WORKSPACE}/git-content" -c "${GITHUB_WORKSPACE}/git-content/${CONTENT_CONFIG_PATH}" -w "${GITHUB_WORKSPACE}/git-content/dist" --resolve-profiles
       # job-deploy-artifacts
       - name: Setup SSH key
         # only do this on master
+        # Comment the below `if` conditional if you need to debug this on PR branches.
         if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/master'
         run: |
           eval "$(ssh-agent -s)"

.github/workflows/create-release.yml

@@ -0,0 +1,31 @@
+name: Build release artifact
+on:
+  push:
+    tags:
+      - "*"
+jobs:
+  build-release:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Check-out the repository under $GITHUB_WORKSPACE
+      - uses: actions/checkout@v2
+
+      - name: Read Node version from .nvmrc
+        run: echo "##[set-output name=NVMRC;]$(cat .nvmrc)"
+        id: nvm
+
+      - uses: actions/setup-node@v2.3.0
+        with:
+          node-version: ${{ steps.nvm.outputs.NVMRC }}
+
+      # Initialize workspace with git submodules and build a release
+      - name: Build release
+        run: make init build
+
+      # Create a release corresponding to the triggered tag
+      - uses: ncipollo/release-action@v1
+        with:
+          allowUpdates: true
+          artifacts: dist/validations/ssp.xsl
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/xspecRunner.yml

@@ -34,10 +34,10 @@ jobs:
       - name: Run XSpec
         run: |
           echo "Running XSpec"
-          cd $GITHUB_WORKSPACE/resources/validations
+          cd $GITHUB_WORKSPACE/src/validations
           export SAXON_CP=/tmp/saxon/Saxon-HE-10.2.jar
           export TEST_DIR=$(pwd)/report/test
-          lib/xspec/bin/xspec.sh -s -j test/test_all.xspec
+          $GITHUB_WORKSPACE/vendor/xspec/bin/xspec.sh -s -j test/test_all.xspec
       
       # Sets the test report path for visibility
       - name: Publish XSpec Test Results
@@ -62,6 +62,6 @@ jobs:
         with:
           name: fedramp-automation-validation-unit-tests-${{ github.sha }}
           path: |
-            ./resources/validations/report/schematron/**/*.*
-            ./resources/validations/report/test/**/*.*
+            ./src/validations/report/schematron/**/*.*
+            ./src/validations/report/test/**/*.*
           if-no-files-found: error

.gitignore

@@ -4,10 +4,9 @@ _site
 *.DS_Store
 documents/source
 NOTES.md
-resources/validations/lib/**.jar
-resources/validations/report
-resources/validations/src/ssp.xsl
-resources/validations/target
-resources/validations/test/xspec/*
-resources/validations/ui/coverage/
+src/validations/lib/**.jar
+src/validations/report
+src/validations/src/ssp.xsl
+src/validations/target
+src/validations/test/*
 utils

.gitmodules

@@ -1,17 +1,17 @@
 [submodule "oscal"]
-	path = oscal
+	path = vendor/oscal
 	url = https://github.com/usnistgov/OSCAL.git
 	branch = main
 	ignore = dirty
 
 [submodule "resources/validations/lib/xspec"]
-	path = resources/validations/lib/xspec
+	path = vendor/xspec
 	url = https://github.com/xspec/xspec.git
 	branch = master
 	ignore = dirty
 
 [submodule "resources/validations/src/schematron"]
-	path = resources/validations/lib/schematron
+	path = vendor/schematron
 	url = https://github.com/schematron/schematron.git
 	branch = master
 	ignore = dirty

.nvmrc

@@ -1 +1 @@
-v16.2.0
+v16.4.0

Makefile

@@ -0,0 +1,70 @@
+REQUIRED_NODE_VERSION = $(shell cat .nvmrc)
+INSTALLED_NODE_VERSION = $(shell node --version)
+
+.PHONY: help
+
+help:
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+all: clean test build  ## Complete clean build with tests
+
+init: init-repo init-web  ## Initialize project dependencies
+
+node:
+ifneq ($(REQUIRED_NODE_VERSION),$(INSTALLED_NODE_VERSION))
+	$(error node.js version $(REQUIRED_NODE_VERSION) required)
+endif
+
+init-repo:
+	git submodule update --init --recursive
+
+init-web: node
+	cd src/web && \
+		npm install
+
+clean: clean-dist clean-validations clean-web  ## Clean all
+
+clean-dist:  ## Clean non-RCS-tracked dist files
+	@echo "Cleaning dist..."
+	git clean -xfd dist
+
+clean-validations:  ## Clean validations artifact
+	@echo "Cleaning validations..."
+	cd src/validations \
+		rm -rf report target
+
+clean-web:  ## Clean web artifacts
+	@echo "Cleaning web..."
+	cd src/web && \
+		npm run clean
+
+test: test-validations test-web ## Test all
+
+test-validations:  ## Test validations
+	@echo "Running validations tests..."
+	cd src/validations && \
+		../../vendor/xspec/bin/xspec.sh -s -j test/test_all.xspec
+
+test-web:  ## Test web codebase
+	@echo "Running web tests..."
+	cd src/web && \
+		npm run test
+
+build: build-validations build-web dist  ## Build all artifacts and copy into dist directory
+	# Symlink for Federalist
+	ln -sf ./src/web/build _site
+
+	# Copy validations
+	mkdir -p dist/validations
+	cp src/validations/target/ssp.xsl dist/validations
+	cp -r src/validations/rules/ssp.sch dist/validations
+
+build-validations:  ## Build Schematron validations
+	@echo "Building Schematron validations..."
+	cd src/validations && \
+		./bin/validate_with_schematron.sh
+
+build-web: node ## Build web bundle
+	@echo "Building web bundle..."
+	cd src/web && \
+	  npm run build

README.md

@@ -7,7 +7,7 @@ The FedRAMP Program Management Office (PMO) has drafted FedRAMP-specific extensi
 
 To accompany these guides, the FedRAMP PMO has also drafted OSCAL files in XML and JSON formats to serve as an example and template for each major deliverable.
 
-## Support and OSCAL Deprecation Strategy 
+## Support and OSCAL Deprecation Strategy
 
 The FedRAMP PMO has [a release strategy and versioning procedures](./documents/adr/0002-git-release-version-strategy.md). FedRAMP has a minimally supported version of OSCAL, unless explicitly noted otherwise in specific documents or source code in this repository. Baselines, guides, templates, and associated tools in this repository will only support OSCAL data with a version number no lower than specified by FedRAMP version tags. A version tag that ends in `-oscal1.0.0` will only support data with `oscal-version` equal to `1.0.0` or newer, it will not support `1.0.0-milestone3`, `1.0.0-rc1`, or `1.0.0-rc2`. A future version tag ending in `-oscal1.1.0` indicates FedRAMP source code and guides will support data with `oscal-version` equal to `1.1.0` or newer, but not `1.0.0`.
 
@@ -18,7 +18,7 @@ Changes to the minimally supported version and deprecation notices will be made
 The FedRAMP PMO is releasing the following files for public review and comment:
 
 - **FedRAMP Baselines:** The FedRAMP baselines for High, Moderate, Low, and Tailored for Low Impact-Software as a Service (LI-SaaS) in OSCAL (XML and JSON formats) are available [here](./baselines).
-  
+
 - **FedRAMP OSCAL Templates:** The template files are pre-populated with FedRAMP extensions, defined-identifiers, and conformity tags where practical. They also include sample data, and are the basis for their respective guidance documents above. The drafts for public comment are available in both XML and JSON formats [here](./templates/).
 
 - **FedRAMP OSCAL Registry** This registry is the authoritative source for all FedRAMP extensions to the OSCAL syntax, FedRAMP-defined identifiers, and accepted values. The draft for public comment is available [here](./documents/FedRAMP_Extensions.pdf).
@@ -40,12 +40,43 @@ The following NIST resources are available:
 
 - **OSCAL Workshop Training Slides:** Provided at an October workshop hosted by the NIST OSCAL Team. The early portions of the deck provide an overview, with more technical details beginning on slide 52. [https://pages.nist.gov/OSCAL/downloads/OSCAL-workshop-20191105.pdf](https://pages.nist.gov/OSCAL/learn/presentations/OSCAL-workshop-20191105.pdf)
 
-- **Content Converters:** The converters accurately convert OSCAL catalog, profile, SSP, SAP, SAR, and POA&M content from [XML to JSON](https://github.com/usnistgov/OSCAL/tree/master/json/convert) and [JSON to XML](https://github.com/usnistgov/OSCAL/tree/master/xml/convert). 
+- **Content Converters:** The converters accurately convert OSCAL catalog, profile, SSP, SAP, SAR, and POA&M content from [XML to JSON](https://github.com/usnistgov/OSCAL/tree/master/json/convert) and [JSON to XML](https://github.com/usnistgov/OSCAL/tree/master/xml/convert).
 
-- **NIST SP 800-53 & 53A Revision 4 in OSCAL:** NIST is also providing SP 800-53 and 800-53A, Revision 4 content as well as the NIST High, Moderate, and Low baselines in OSCAL (XML, JSON, and YAML formats) [here](https://github.com/usnistgov/OSCAL/tree/master/content/nist.gov/SP800-53/rev4). 
+- **NIST SP 800-53 & 53A Revision 4 in OSCAL:** NIST is also providing SP 800-53 and 800-53A, Revision 4 content as well as the NIST High, Moderate, and Low baselines in OSCAL (XML, JSON, and YAML formats) [here](https://github.com/usnistgov/OSCAL/tree/master/content/nist.gov/SP800-53/rev4).
 
-NIST offers a complete package containing the NIST OSCAL converters, syntax validation tools, 800-53 and FedRAMP baselines content is available for download in both ZIP and BZ2 format. Visit the [NIST OSCAL Github releases page for more information](https://github.com/usnistgov/OSCAL/releases/latest). 
+NIST offers a complete package containing the NIST OSCAL converters, syntax validation tools, 800-53 and FedRAMP baselines content is available for download in both ZIP and BZ2 format. Visit the [NIST OSCAL Github releases page for more information](https://github.com/usnistgov/OSCAL/releases/latest).
 
 Please ask questions or provide feedback on the above NIST dependencies either via email to [oscal@nist.gov](mailto:oscal@nist.gov), as a comment to an existing issue, or as a new issue via the [NIST OSCAL GitHub site](https://github.com/usnistgov/OSCAL/issues).
 
 FedRAMP looks forward to receiving your comments and sharing additional progress.
+
+## Developer notes
+
+### Build / test
+
+A top-level Makefile is provided to simplify builds.
+
+Build requirements are:
+
+- gcc make
+- node.js (as versioned in [./nvmrc](./.nvmrc))
+- Java 8+
+
+For usage information, use the default target:
+
+```
+make
+```
+### Creating a release
+
+[ADR 0002 (git release version strategy)](./documents/adr/0002-git-release-version-strategy.md)
+outlines the release and versioning system.
+
+Releases must be tagged from the master branch of [GSA/fedramp-automation](https://github.com/GSA/fedramp-automation). If your work resides elsewhere, first merge to master via a pull-request.
+
+To produce a release:
+
+- [Create a Github Release](https://github.com/GSA/fedramp-automation/releases/new)
+  - Ensure the tag follows the naming convention defined in [ADR 0002](./documents/adr/0002-git-release-version-strategy.md)
+- [Monitor running Github Actions](https://github.com/GSA/fedramp-automation/actions) for the `build-release` workflow's completion ([./.github/workflows/create-release.yml](./.github/workflows/create-release.yml))
+  - On completion, artifacts will be attached to the release

…seline-resolved-profile_catalog-min.json …seline-resolved-profile_catalog-min.jsonbaselines/rev4/json/FedRAMP_rev4_HIGH-baseline-resolved-profile_catalog-min.json renamed to dist/content/baselines/rev4/json/FedRAMP_rev4_HIGH-baseline-resolved-profile_catalog-min.json baselines/rev4/json/FedRAMP_rev4_HIGH-baseline-resolved-profile_catalog-min.json renamed to dist/content/baselines/rev4/json/FedRAMP_rev4_HIGH-baseline-resolved-profile_catalog-min.json

@@ -1,10 +1,10 @@
 {
   "catalog": {
-    "uuid": "11943c62-c04a-4736-a605-74cc6c5c3a48",
+    "uuid": "498295de-d389-4fa9-b0da-f413a0382be7",
     "metadata": {
       "title": "FedRAMP Rev 4 High Baseline",
       "published": "2021-02-05T00:00:00.000-04:00",
-      "last-modified": "2021-07-07T19:52:49.426124Z",
+      "last-modified": "2021-07-19T15:18:14.007941Z",
       "version": "fedramp1.0.0-oscal1.0.0",
       "oscal-version": "1.0.0",
       "links": [