Adds utilities for OSCAL Component Definitions from policies

[jpower432]

Description:

This PR adds utilities under the utils directory to create OSCAL component definitions using the files under the controls directory to populate the implemented requirements and mapping to the rules.

What was added?

• Core logic under utils/oscal
• Unit tests under test/unit/utils/oscal
• Documentation for the utilities

Rationale:

The policy was used to initially fill in the control responses because it contains all the required information for a component definition (status, description, rule mapping). However, the class ComponentDefinitionGenerator takes a ControlSelector class in order to allow how control response information is selected and constructed separate from the generation logic.

I tried to follow the guidance of one-step one commit to keep the options open for breaking this down into smaller PRs. However, all the changes would be needed to get an OSCAL component definition that would be compatible with compliance-trestle.

• Fixes Publish CaC content as an OSCAL Component Definition for NIST 800-53 #11106

Review Hints:

This is PR is part two to #11286 so please see that PR to review the first two commits. Merged

Important Notes

• To support installing compliance-trestle during CI job execution for testing, changes were made to the workflow files in the following commits:
  9fea72d
  5fa74a9

• It performs a mapping from SSG status to OSCAL implementation status in the OscalStatus class

• The script uses the "Section letter:" convention in the control notes to create statements under the implemented requirements.

• The script maps parameter to rules uses the xccdf_variable field under template.vars

• To determine what responses will mapped to the controls in the OSCAL profile the control id and label property from the resolved catalog is searched.

How to test

An example of how to execute the script:

$ ./build_product ocp4
$ ./utils/rule_dir_json.py
$ ./utils/oscal/build_cd_from_policy.py -o build/ocp4.json -p fedramp_rev4_high -pr ocp4 -c nist_ocp4:high

Example of how to verify compatibility with compliance-trestle

$ mkdir tmp-trestle-dir
$ cd tmp-trestle-dir && trestle init
$ trestle import -f https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/json/FedRAMP_rev4_HIGH-baseline_profile.json -o fedramp_rev4_high
$ trestle import -f ../content/build/ocp4.json -o ocp4
$ trestle author component-generate --name ocp4 -o markdown/components/ocp4
# Here you will notice that the implementation and rules are populated in the Markdown
$ cat markdown/components/ocp4/ocp4/fedramp_rev4_high/cm/cm-6.1.md

[openshift-ci]

Hi @jpower432. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[Mab879]

/packit build

[Mab879]

/packit build

[Mab879]

Thanks for the PR. I do have a few comments.

[codeclimate]

Code Climate has analyzed commit 4c8fa7d and detected 2 issues on this pull request.

Here's the issue category breakdown:

Category	Count
Complexity	2

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5% (0.0% change).

View more on Code Climate.

[Mab879]

/packit rebuild-failed

[Mab879]

Waving Automatus tests as the test rules don't need tests.

[Mab879]

/packit retest-failed

[Mab879]

Thanks for your hard work on this PR!