Update OSCAL part names and subclass reqs into items (#452)

* Bump oscal-club action to v2.0.2

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Update oscal names and reclass ctls to items

This PR updates the names of the OSCAL parts to use the valid names
according to the nested levels. We also now subclass each control
item to its own part.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

Author: puerco

.github/workflows/oscal-check.yaml

@@ -50,7 +50,7 @@ jobs:
           ./go-oscal validate --input-file oscal-sample.json 
 
       - name: Validate Catalog with oscal-club/NIST CLI
-        uses: oscal-club/oscal-cli-action@1a210b84bc1fd6adf15c9cf0d46a51d15a3d8301 # v2.0.1
+        uses: oscal-club/oscal-cli-action@b5b0c80a1a158797bea4475d13d12c494b56019b # v2.0.2
         with:
           args: catalog validate oscal-sample.json 
 

cmd/pkg/baseline/generator_oscal.go

@@ -51,50 +51,65 @@ func (g *Generator) ExportOSCAL(b *types.Baseline, w io.Writer) error {
 			Class:    "OSPS",
 			Controls: nil,
 			ID:       b.ControlFamilyIDs[family.Title],
-			Title:    family.Description,
+			Parts: &[]oscal.Part{
+				{
+					Name:  "overview",
+					Prose: family.Description,
+				},
+			},
+			Title: family.Title,
 		}
 
 		controls := []oscal.Control{}
 		for _, control := range family.Controls {
-			parts := []oscal.Part{}
+			// Create the new OSCAL control.
+			newOscalCtl := oscal.Control{
+				Class: b.ControlFamilyIDs[family.Title],
+				ID:    control.Id,
+				Title: strings.TrimSpace(control.Id), // For some reason, control.Title is the full description
+				Links: &[]oscal.Link{
+					{
+						Href: fmt.Sprintf(controlHREF, VersionOSPS, strings.ToLower(control.Id)),
+						Rel:  "canonical",
+					},
+				},
+				// The main prose of the control lives in the statement part
+				Parts: &[]oscal.Part{
+					{
+						ID:    control.Id + "_smt",
+						Name:  "statement",
+						Ns:    OpenSSFNS,
+						Prose: control.Title,
+					},
+					{
+						ID:    control.Id + "_obj",
+						Name:  "objective",
+						Ns:    OpenSSFNS,
+						Prose: control.Objective,
+					},
+				},
+			}
+
+			items := []oscal.Part{}
 			for _, ar := range control.AssessmentRequirements {
-				parts = append(parts, oscal.Part{
-					Class: control.Id,
+				items = append(items, oscal.Part{
 					ID:    ar.Id,
-					Name:  ar.Id,
-					Ns:    "",
+					Name:  "item",
+					Ns:    OpenSSFNS,
+					Prose: ar.Text,
+					Title: ar.Id,
 					Parts: &[]oscal.Part{
 						{
-							ID:    ar.Id + ".R",
-							Name:  "recommendation",
-							Ns:    OpenSSFNS,
+							ID:    ar.Id + "_obj",
+							Name:  "assessment-objective",
 							Prose: ar.Recommendation,
-							Links: &[]oscal.Link{
-								{
-									Href: fmt.Sprintf(controlHREF, VersionOSPS, ar.Id),
-									Rel:  "canonical",
-								},
-							},
 						},
 					},
-					Prose: ar.Text,
-					Title: "",
 				})
 			}
 
-			newCtl := oscal.Control{
-				Class: b.ControlFamilyIDs[family.Title],
-				ID:    control.Id,
-				Links: &[]oscal.Link{
-					{
-						Href: fmt.Sprintf(controlHREF, VersionOSPS, strings.ToLower(control.Id)),
-						Rel:  "canonical",
-					},
-				},
-				Parts: &parts,
-				Title: strings.TrimSpace(control.Title),
-			}
-			controls = append(controls, newCtl)
+			(*newOscalCtl.Parts)[0].Parts = &items
+			controls = append(controls, newOscalCtl)
 		}
 
 		group.Controls = &controls