introduce party-has-responsiblity

.dockerignore

@@ -0,0 +1,3 @@
+# Ignore everything
+*
+!/src/validations/constraints

.github/workflows/content-artifacts.yml

@@ -4,7 +4,10 @@ on:
   push:
     branches:
       - master
+      - develop
+      - 'feature/**'
     paths:
+      - Dockerfile
       - "src/**"
       - "oscal"
   pull_request:
@@ -15,12 +18,23 @@ on:
 name: Process Content
 env:
   HOME_REPO: GSA/fedramp-automation
+  IMAGE_NAME: GSA/fedramp-automation/validation-tools
+  REGISTRY: ghcr.io
+  # Docs: github.com/docker/metadata-action/?tab=readme-ov-file#typesha
+  DOCKER_METADATA_PR_HEAD_SHA: true
+  # https://github.com/docker/metadata-action?tab=readme-ov-file#annotations
+  DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 jobs:
   validate-and-publish-content:
     name: Content Validation Checking, Conversion and Validation
     runs-on: ubuntu-20.04
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08
         with:
           path: git-content
           submodules: recursive
@@ -53,3 +67,65 @@ jobs:
           commit_user_name: OSCAL GitHub Actions Bot
           commit_user_email: [email protected]
           commit_author: OSCAL GitHub Actions Bot <[email protected]>
+      - if: github.repository == env.HOME_REPO
+        name: Container image QEMU setup for cross-arch builds
+        id: image_setup_qemu
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
+      - if: github.repository == env.HOME_REPO
+        name: Container image buildx setup for cross-arch builds
+        id: image_setup_buildx
+        with:
+          platforms: linux/amd64,linux/arm64 
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
+      - if: github.repository == env.HOME_REPO
+        name: Container image login
+        id: image_login
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - if: github.repository == env.HOME_REPO
+        name: Container image metadata and tag generation
+        id: image_metadata
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+        with:
+          images:
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,prefix=,suffix=,format=long
+            type=ref,event=branch
+            type=ref,event=tag
+            type=ref,event=pr            
+          # For now, do not auto-tag latest, maintainers will decided what is
+          # release-worthy.
+          flavor: |
+            latest=true
+          annotations:
+            maintainers="FedRAMP Automation Team <[email protected]>"
+            org.opencontainers.image.authors="FedRAMP Automation Team <[email protected]>"
+            org.opencontainers.image.documentation="https://automate.fedramp.gov"
+            org.opencontainers.image.source="https://github.com/GSA/fedramp-automation"
+            org.opencontainers.image.vendor="GSA Technology Transformation Services"
+            org.opencontainers.image.title="FedRAMP Validation Tools"
+            org.opencontainers.image.description="FedRAMP's tools for validating OSCAL data"
+            org.opencontainers.image.licenses="CC0-1.0"
+      - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature'))
+        name: Container image registry push
+        id: image_registry_push
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: git-content
+          push: true
+          tags: ${{ steps.image_metadata.outputs.tags }}
+          labels: ${{ steps.image_metadata.outputs.annotations }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature'))
+        name: Container image push attestations
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.image_registry_push.outputs.digest }}
+          push-to-registry: false

.github/workflows/create-release.yml

@@ -5,11 +5,11 @@ on:
       - "*"
 jobs:
   build-release:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     steps:
       # Check-out the repository under $GITHUB_WORKSPACE
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08
 
       - name: Read Node version from .nvmrc
         run: echo "##[set-output name=NVMRC;]$(cat .nvmrc)"

.github/workflows/run-tests.yml

@@ -7,64 +7,51 @@ on:
   push:
     branches:
       - master
+      - develop
+      - 'feature/**'  # This will match any branch starting with "feature"
+
   pull_request:
 
 # the job requires some dependencies to be installed (including submodules), runs the tests, and then reports results
 jobs:
   # one job that runs tests
   run-tests:
-    runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        os: [macos-latest, ubuntu-latest, windows-latest]
-        arch: [arm64, x86_64]
-
+        os: [ubuntu-20.04, windows-2022]
+    runs-on: ${{ matrix.os }}
     # Checkout repository and its submodules
     steps:
       # Check-out the repository under $GITHUB_WORKSPACE
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08
 
+      - name: Set up Java
+        uses: actions/setup-java@67fbd726daaf08212a7b021c1c4d117f94a81dd3
+        with:
+          distribution: 'adopt'
+          java-version: '11'
       - name: Read node version from `.nvmrc` file
         id: nvmrc
         shell: bash
         run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
 
       - name: Install required node.js version
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b
         with:
           node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
-
-      - name: Install required Python version
-        uses: actions/setup-python@v4
-        with:
-          python-version: "3.10"
-
-      # Initialize the workspace with submodules and dependencies.
-      - name: Initialize workspace
-        shell: bash
-        run: make init
-
-      # Compile Schematron to XSL.
-      - name: Compile Schematron
-        shell: bash
-        run: make build-validations
-
-      - name: Run complete test suite
-        shell: bash
-        if: runner.os == 'Linux'
+      - name: Install OSCAL CLI
         run: |
-          make test
-
-      - name: Run limited test suite
+          make init-validations
+      - name: Run Cucumber tests
         shell: bash
-        if: runner.os == 'Windows' || runner.os == 'macOS'
         run: |
-          make test-validations test-web
-
-      - name: Build all
-        shell: bash
-        if: runner.os == 'Windows' || runner.os == 'macOS'
-        run: |
-          make build
+          make build-validations
+      - name : Publish all Junit XML tests results in Github Summary
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
+        if: always()
+        with:
+            paths: |
+              **/reports/junit-*.xml
+

.gitignore

@@ -5,6 +5,7 @@ _site
 .vscode
 *.DS_Store
 *.code-workspace
+node_modules/
 dist/validations
 dist/web
 documents/source
@@ -14,6 +15,10 @@ src/validations/report
 src/validations/src/ssp.xsl
 src/validations/target
 utils
+sarif/
+dist/
+# Hugo Files
+/docs/public
 
 # XSpec reports (from OxygenXML XSpec use)
 src/validations/test/rules/poam-result.html
@@ -31,3 +36,5 @@ src/validations/test/rules/rev5/ssp-result.html
 src/validations/test/rules/rev4/ssp-result.html
 src/validations/test/rules/rev5/poam-result.html
 src/validations/test/rules/rev5/sar-result.html
+/reports
+/sarif

.nvmrc

@@ -1 +1 @@
-v18.15.0
+v20.16.0

Dockerfile

@@ -0,0 +1,67 @@
+ARG MAVEN_IMAGE=maven:3.9.9-eclipse-temurin-22-alpine
+ARG NODE_IMAGE=node:22-alpine3.20
+ARG APK_EXTRA_ARGS
+ARG WGET_EXTRA_ARGS
+# Static analysis from docker build and push warns this is a secret, it is not.
+# Per official developer instructions, it is necessary to verify the APK packages
+# for Alpine or properly signed. This information is inherently public.
+# https://adoptium.net/installation/linux/#_alpine_linux_instructions
+ARG TEMURIN_APK_KEY_URL=https://packages.adoptium.net/artifactory/api/security/keypair/public/repositories/apk
+ARG TEMURIN_APK_REPO_URL=https://packages.adoptium.net/artifactory/apk/alpine/main
+ARG TEMURIN_APK_VERSION=temurin-22-jdk
+ARG MAVEN_DEP_PLUGIN_VERSION=3.8.0
+ARG OSCAL_CLI_VERSION=2.0.2
+# Current public key ID for [email protected] releases of oscal-cli
+# Static analysis from docker build and push warns this is a secret, it is not
+# and is necessary to cross-ref the Maven GPG key for checking build signatures.
+# https://keyserver.ubuntu.com/pks/lookup?search=0127D75951997E00&fingerprint=on&op=index
+ARG OSCAL_CLI_GPG_KEY=0127D75951997E00
+ARG OSCAL_JS_VERSION=1.4.4
+ARG FEDRAMP_AUTO_GIT_URL=https://github.com/GSA/fedramp-automation.git
+ARG FEDRAMP_AUTO_GIT_REF=feature/external-constraints
+ARG FEDRAMP_AUTO_GIT_COMMIT
+
+FROM ${MAVEN_IMAGE} as oscal_cli_downloader
+ARG MAVEN_DEP_PLUGIN_VERSION
+ARG OSCAL_CLI_VERSION
+ARG OSCAL_CLI_GPG_KEY
+ARG APK_EXTRA_ARGS
+ARG WGET_EXTRA_ARGS
+RUN apk add --no-cache gpg gpg-agent unzip &&  \
+    mkdir -p /opt/oscal-cli && \
+    mvn \
+    org.apache.maven.plugins:maven-dependency-plugin:${MAVEN_DEP_PLUGIN_VERSION}:copy \
+    -DoutputDirectory=/opt/oscal-cli \
+    -DremoteRepositories=https://repo1.maven.org/maven2 \
+    -Dartifact=dev.metaschema.oscal:oscal-cli-enhanced:${OSCAL_CLI_VERSION}:zip:oscal-cli && \
+    mvn \
+    org.apache.maven.plugins:maven-dependency-plugin:${MAVEN_DEP_PLUGIN_VERSION}:copy \
+    -DoutputDirectory=/opt/oscal-cli \
+    -DremoteRepositories=https://repo1.maven.org/maven2 \
+    -Dartifact=dev.metaschema.oscal:oscal-cli-enhanced:${OSCAL_CLI_VERSION}:zip.asc:oscal-cli && \
+    gpg --recv-keys ${OSCAL_CLI_GPG_KEY} && \
+    gpg -k ${OSCAL_CLI_GPG_KEY} && \
+    cd /opt/oscal-cli && \
+    gpg --verify *.zip.asc && \
+    unzip *.zip && \
+    rm -f *.zip && \
+    rm -f *.zip.asc
+
+FROM ${NODE_IMAGE} as final
+ARG OSCAL_JS_VERSION
+ARG TEMURIN_APK_KEY_URL
+ARG TEMURIN_APK_REPO_URL
+ARG TEMURIN_APK_VERSION
+ARG APK_EXTRA_ARGS
+ARG WGET_EXTRA_ARGS
+COPY --from=oscal_cli_downloader /opt/oscal-cli /opt/oscal-cli
+RUN wget ${WGET_EXTRA_ARGS} -O /etc/apk/keys/adoptium.rsa.pub "${TEMURIN_APK_KEY_URL}" && \
+    echo "${TEMURIN_APK_REPO_URL}" >> /etc/apk/repositories && \
+    apk add ${APK_EXTRA_ARGS} --no-cache ${TEMURIN_APK_VERSION} && \
+    mkdir -p /opt/fedramp/oscaljs && \
+    mkdir -p /opt/fedramp/constraints && \
+    (cd /opt/fedramp/oscaljs && npm install oscal@${OSCAL_JS_VERSION})
+COPY ./src/validations/constraints/*.xml /opt/fedramp/constraints/
+ENV PATH="$PATH:/opt/oscal-cli/bin:/opt/fedramp/oscaljs/node_modules/.bin"
+WORKDIR /opt/fedramp/constraints
+ENTRYPOINT [ "/opt/oscal-cli/bin/oscal-cli" ]

Makefile

@@ -1,4 +1,5 @@
 export BASE_DIR=$(shell pwd)
+OCI_REV_TAG=$(shell git rev-parse HEAD)
 
 help:
 	@grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
@@ -13,7 +14,9 @@ include src/web/module.mk
 
 all: clean build test  ## Complete clean build with tests
 
-init: init-repo init-validations init-web  ## Initialize project dependencies
+init: init-repo init-validations init-content init-web  ## Initialize project dependencies
+
+configure: init-validations
 
 init-repo:
 	git submodule update --init --recursive
@@ -24,7 +27,13 @@ clean-dist:  ## Clean non-RCS-tracked dist files
 	@echo "Cleaning dist..."
 	git clean -xfd dist
 
-test: test-validations test-web test-examples ## Test all
+clean-oci-image:
+	docker rmi -f \
+		validation-tools:$(OCI_REV_TAG) \
+		ghcr.io/gsa/fedramp-automation/validation-tools:$(OCI_REV_TAG) \
+		gsatts/validation-tools:$(OCI_REV_TAG) \
+
+test: build-validations ## Test all
 
 build: build-validations build-web dist  ## Build all artifacts and copy into dist directory
 	# Copy validations
@@ -37,3 +46,27 @@ build: build-validations build-web dist  ## Build all artifacts and copy into di
 
 	@echo '#/bin/bash\necho "Serving FedRAMP ASAP documentation at http://localhost:8000/..."\npython3 -m http.server 8000 --directory web/' > ./dist/serve-documentation
 	chmod +x ./dist/serve-documentation
+
+build-oci-image:
+	docker build \
+		--build-arg APK_EXTRA_ARGS="--no-check-certificate" \
+		--build-arg WGET_EXTRA_ARGS="--no-check-certificate" \
+		-t validation-tools:$(OCI_REV_TAG) \
+		-t ghcr.io/gsa/fedramp-automation/validation-tools:$(OCI_REV_TAG) \
+		-t  gsatts/validation-tools:$(OCI_REV_TAG) \
+		.
+
+publish-oci-image:
+	docker tag \
+		validation-tools:$(OCI_REV_TAG) validation-tools:latest
+
+	docker tag \
+		ghcr.io/gsa/fedramp-automation/validation-tools:$(OCI_REV_TAG) \
+		ghcr.io/gsa/fedramp-automation/validation-tools:latest
+
+	docker tag \
+		gsatts/validation-tools:$(OCI_REV_TAG) \
+		gsatts/validation-tools:latest
+
+	docker push ghcr.io/gsa/fedramp-automation/validation-tools:$(OCI_REV_TAG)
+	docker push	ghcr.io/gsa/fedramp-automation/validation-tools:latest

cucumber.json

@@ -0,0 +1,12 @@
+{
+  "default": {
+    "requireModule": ["ts-node/register"],
+    "import": ["features/**/*.ts"],
+    "format": [
+      ["junit", "reports/junit-constraints.xml"],
+      ["html", "reports/constraints.html"]
+    ],
+    "retry": 2,
+    "retryTagFilter": "@flaky"
+  }
+}