Merge pull request #54 from jpower432/PSCE-236

feat: adds support for rules in YAML format

.github/workflows/autofix-cd.yml

@@ -8,8 +8,9 @@ on:
         type: string
 
 
+# Using concurrency to ensure any branch-modifying workflows are not run at the same time.
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: sync-${{ inputs.branch }}
   cancel-in-progress: true
 
 jobs:
@@ -32,7 +33,7 @@ jobs:
           token: ${{ steps.get_installation_token.outputs.token }}
       - name: Autofix components
         id: autofix-component
-        uses: RedHatProductSecurity/trestle-bot@v0.1.1
+        uses: RedHatProductSecurity/trestle-bot/actions/autosync@v0.3.0
         with:
           markdown_path: "markdown/components"
           oscal_model: "compdef"

.github/workflows/create-new.yml

@@ -51,7 +51,7 @@ jobs:
           COMP_DESCRIPTION: ${{ github.event.inputs.component_description }}
       - name: Generate and PR new component definition
         id: generate-cd
-        uses: RedHatProductSecurity/trestle-bot@v0.1.1
+        uses: RedHatProductSecurity/trestle-bot/actions/autosync@v0.3.0
         with:
           markdown_path: "markdown/components"
           oscal_model: "compdef"

.github/workflows/linters.yml

@@ -4,7 +4,8 @@ name: MegaLinter
 on:
   push:
   pull_request:
-    branches: main
+    branches: 
+    - main
 
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}

.github/workflows/manual-transform.yml

@@ -0,0 +1,11 @@
+name: Run transform adhoc
+
+on:
+  workflow_dispatch:
+
+jobs:
+  call-transform:
+    uses: ./.github/workflows/transform-rules.yml
+    with:
+      branch: ${{ github.ref_name }}
+    secrets: inherit

.github/workflows/regenerate-cd.yml

@@ -30,7 +30,7 @@ jobs:
           token: ${{ steps.get_installation_token.outputs.token }}
       - name: Regenerate component definitions
         id: regenerate
-        uses: RedHatProductSecurity/trestle-bot@v0.1.1
+        uses: RedHatProductSecurity/trestle-bot/actions/autosync@v0.3.0
         with:
           markdown_path: "markdown/components"
           oscal_model: "compdef"

.github/workflows/transform-on-push.yml

@@ -0,0 +1,18 @@
+name: Transform Rules On Push
+
+# Only run on pushes to branches other than main. Pushes to main should be
+# a result of a pull request merge. The transform rules operation is not idempotent
+# and the OSCAL JSON will be modified each time it is run.
+on:
+  push:
+    branches-ignore:
+      - main
+    paths:
+      - 'rules/**'
+
+jobs:
+  call-transform:
+    uses: ./.github/workflows/transform-rules.yml
+    with:
+      branch: ${{ github.ref_name }}
+    secrets: inherit

.github/workflows/transform-rules.yml

@@ -0,0 +1,41 @@
+name: Transform Rules
+
+on:
+  workflow_call:
+    inputs:
+      branch:
+        required: true
+        type: string
+
+# Using concurrency to ensure any branch-modifying workflows are not run at the same time.
+concurrency:
+  group: sync-${{ inputs.branch }}
+  cancel-in-progress: true
+
+jobs:
+  transform-rules:
+    name: Transform rules content
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate app token
+        uses: tibdex/github-app-token@v1
+        id: get_installation_token
+        with: 
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+          permissions: >-
+            {"contents": "write"}
+      - name: Clone
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.branch }}
+          token: ${{ steps.get_installation_token.outputs.token }}
+      - name: Transform rules
+        id: transform
+        uses: RedHatProductSecurity/trestle-bot/actions/[email protected]
+        with:
+          rules_view_path: "rules/"
+          file_pattern: "*.json,rules/*"
+          branch: ${{ inputs.branch }}
+          commit_user_name: "trestle-bot[bot]"
+          commit_user_email: "136850459+trestle-bot[bot]@users.noreply.github.com"

.github/workflows/validate.yml

@@ -1,13 +1,16 @@
 name: Evaluate component definitions
 on:
   pull_request:
-    types: [ opened, ready_for_review, reopened, synchronize ]
     branches:
       - main
     paths:
       - 'component-definitions/**'
       - 'markdown/components/**'
-      - 'data/**'
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
 jobs:
   test:
     name: Evaluate components
@@ -17,21 +20,20 @@ jobs:
     steps:
       - name: Clone
         uses: actions/checkout@v3
-        with:
-          ref:  ${{ github.head_ref }}
       - name: Check components
         id: check-components
-        uses: RedHatProductSecurity/trestle-bot@v0.1.1
+        uses: RedHatProductSecurity/trestle-bot/actions/autosync@v0.3.0
         with:
           markdown_path: "markdown/components"
           oscal_model: "compdef"
           check_only: true
-      - name: CSV sanity check 
-        run: make check-csv
 
+  # Only autofix if the test job fails and the PR is from the same repo
   call-autofix:
     needs: [test]
-    if: ${{ always() && contains(needs.*.result, 'failure') }}
+    if: |
+      always() && contains(needs.*.result, 'failure')
+      && github.event.pull_request.base.repo.url == github.event.pull_request.head.repo.url
     uses: ./.github/workflows/autofix-cd.yml
     with:
       branch: ${{ github.head_ref }}

.gitignore

@@ -161,3 +161,6 @@ cython_debug/
 
 ## Trestle Specifc
 .trestle/cache/
+
+
+.vscode/

Makefile

@@ -18,19 +18,6 @@ update-subtree:
 ## Component Definition Custom tasks
 ############################################################################
 
-# $1 - config path
-define update-cd
-echo $(1)
-trestle task csv-to-oscal-cd -c $(1);
-endef
-
-update-cds:
-	@source $(SCRIPTS_DIR)/trestle.sh && $(foreach f,$(CONFIGS),$(call update-cd,$(f)))
-.PHONY: update-cd
-
-check-csv:
-	@bash scripts/csv_sanity_check.sh
-
 trestlebot-install:
 	@python3 -m pip install --upgrade pip setuptools && python3 -m pip install -r requirements.txt
 .PHONY: trestlebot-install

component-definitions/example/component-definition.json

@@ -1,46 +1,72 @@
 {
   "component-definition": {
-    "uuid": "3f0a6f01-e123-4c9e-8d17-267a831d4471",
+    "uuid": "86378b1f-7ba6-4cac-bdd4-3b52b13f5132",
     "metadata": {
-      "title": "Component definition for Example",
-      "last-modified": "2023-05-08T21:56:09.855332+00:00",
+      "title": "Component definition for example",
+      "last-modified": "2023-10-13T14:07:08.049847+00:00",
       "version": "1.0",
       "oscal-version": "1.0.4"
     },
     "components": [
       {
-        "uuid": "49e7cc5c-395a-4ea9-a8dd-dc678515ae7b",
+        "uuid": "5752e82b-8d71-4d35-898c-e8aa5c474ed7",
         "type": "service",
         "title": "Example",
         "description": "Example Application",
         "props": [
           {
             "name": "Rule_Id",
-            "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd",
+            "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal",
             "value": "Test-rule_001",
             "remarks": "rule_set_0"
           },
           {
             "name": "Rule_Description",
-            "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd",
+            "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal",
             "value": "Ensure all of the services are running these tests",
             "remarks": "rule_set_0"
+          },
+          {
+            "name": "Parameter_Id",
+            "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal",
+            "value": "prm_1",
+            "remarks": "rule_set_0"
+          },
+          {
+            "name": "Parameter_Description",
+            "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal",
+            "value": "prm_1 description",
+            "remarks": "rule_set_0"
+          },
+          {
+            "name": "Parameter_Value_Alternatives",
+            "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal",
+            "value": "{'default': '5%', '5pc': '5%', '10pc': '10%', '15pc': '15%', '20pc': '20%'}",
+            "remarks": "rule_set_0"
           }
         ],
         "control-implementations": [
           {
-            "uuid": "66666ab1-f02c-4bb2-a64b-0f90f73910a5",
+            "uuid": "95f1cd02-e507-44b7-9ef7-22c5b4c557ad",
             "source": "profiles/fedramp_rev5_high/profile.json",
             "description": "FedRAMP REV5 High Baseline",
+            "set-parameters": [
+              {
+                "param-id": "prm_1",
+                "values": [
+                  "5%"
+                ]
+              }
+            ],
             "implemented-requirements": [
               {
-                "uuid": "cae26ab2-9172-450d-9525-351195bc5879",
+                "uuid": "ae9abfdf-ac4a-4dcb-bf53-ca91e3b86971",
                 "control-id": "ac-1",
                 "description": "",
                 "props": [
                   {
                     "name": "Rule_Id",
-                    "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd",
+                    "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal",
                     "value": "Test-rule_001"
                   },
                   {

docs/design.md

@@ -0,0 +1,50 @@
+# Design
+
+In the repository, GitHub Actions is used to manage the trestle workspace. This document describes the purpose and design of each workflow.
+
+## Workflows
+
+#### Create
+
+Associated Workflows
+- [create-new.yml](../.github/workflows/create-new.yml)
+
+The `create-new` workflow is triggered manually by going to the Action tab. This creates a new OSCAL component definitions in the trestle workspace. A new branch is created and a pull request is opened.
+
+#### AutoFix
+
+Associated Workflows
+- [autofix-cd.yml](../.github/workflows/autofix-cd.yml)
+- [manual-autofix.yml](../.github/workflows/manual-autofix.yml)
+- [validate.yml](../.github/workflows/validate.yml)
+
+The `validate` workflow is triggered when a pull request is created or updated with updates to component definitions. It validates the trestle workspace and automatically sync any difference between the OSCAL JSON files and trestle managed Markdown files. The same workflow can be triggered through the Action tab using the `Run autofix adhoc` workflow. The `autofix-cd.yml` has all common logic for both workflows. The `validate.yml` and `manual-autofix.yml` workflows adds customer triggers and logic.
+
+The `validate` workflow will run checks with read-only permissions when a pull request is opened from a from a fork, but the autofix workflow will not run.
+
+#### Transform
+
+Associated Workflows
+- [transform-rules.yml](../.github/workflows/transform-rules.yml)
+- [manual-transform.yml](../.github/workflows/manual-transform.yml)
+- [transform-on-push.yml](../.github/workflows/transform-on-push.yml)
+
+The `transform-on-push` workflow when files under the `rules` directory are made. This will transform the rules managed in YAML into OSCAL JSON files. The `transform-rules.yml` workflow has all common logic for both workflows. The `manual-transform.yml` and `transform-on-push.yml` workflows adds customer triggers and logic.
+
+Concurrency groups are in place to ensure this does not run at the same time as any branch altering workflows to avoid overwrite to the branches. This can occur if a branch containing rules updates is modified while a pull request is open for the branch.
+
+#### Regenerate
+
+Associated Workflows
+- [regenerate-cd.yml](../.github/workflows/regenerate-cd.yml)
+
+The regenerate workflow is triggered when changes to catalogs, profile, or component definitions in OSCAL JSON format are merged to main. This will regenerate the markdown and open a pull request if any changes are found.
+
+#### Update Profile
+
+Associated Workflows
+- [update-profile.yml](../.github/workflows/update-profile.yml)
+
+The `update-profile` workflow is triggered manually to pull in updated profile information from upstream sources. This will update the profile information in the trestle workspace and open a pull request.
+
+

rules/example/Example/rule_1.yml

@@ -0,0 +1,17 @@
+x-trestle-rule-info:
+  name: Test-rule_001
+  description: Ensure all of the services are running these tests
+  parameter:
+    name: prm_1
+    description: prm_1 description
+    alternative-values: {'default': '5%', '5pc': '5%', '10pc': '10%', '15pc': '15%', '20pc': '20%'}
+    default-value: '5%'
+  profile:
+    description: FedRAMP REV5 High Baseline
+    href: profiles/fedramp_rev5_high/profile.json
+    include-controls:
+      - id: ac-1
+x-trestle-component-info:
+  name: Example
+  description: Example Application
+  type: service