Inventory - OS or Software Version

[Rene2mt]

Constraint Task

Consistent with issue #813, this work focuses on ensuring every inventory items has a "os-version" or "software-version" prop

Intended Outcome

• Every inventory-item where the (component) "asset type" is "software" MUST have a "software-version" property either within the inventory-item itself, or within the component linked by the inventory-item

NOTE - FedRAMP prefers "software-version" in all cases, but will accept "os-version" where appropriate.

Syntax Type

This is a FedRAMP constraint in the FedRAMP-specific namespace.

Allowed Values

There are no relevant allowed values.

Metapath(s) to Content

"context=""//inventory-item""

target="". | //component[@uuid=./implemented-component/@component-uuid]""

count(./prop[@name=('software-version', 'os-version') ]) >= 1 "

Purpose of the OSCAL Content

No response

Dependencies

No response

Acceptance Criteria

• All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
  • Explanation is present and accurate
  • sample content is present and accurate
  • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
• All constraints associated with the review task have been created
• The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
• The constraint conforms to the FedRAMP Constraint Style Guide.
  • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
• Known good test content is created for unit testing.
• Known bad test content is created for unit testing.
• Unit testing is configured to run both known good and known bad test content examples.
• Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
• A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
• This issue is referenced in the PR.

Other information

No response

[Rene2mt]

@Gabeblis, I should have included earlier that the "os-version" and "software-version" props are only mandatory for components where @type="software". This could also be inventory-items with "asset-type" prop that have values of "operating-system", "container", or "image".

You'll have to adjust the Metapath above accordingly.

[Gabeblis]

@Rene2mt Just to clarify, we are checking each inventory-item that has a prop with @name='asset-type and @value=('operating-system', 'container', 'image') or a component with @type='software' and a uuid that matches the inventory-item component uuid, for the software version prop? or are we separately checking each component with @type='software' and each inventory-item that has a prop with @name='asset-type and @value=('operating-system', 'container', 'image')? The way I currently have it implemented in #1039 checks the inventory items and components with a matching uuid. However, it wouldn't catch a standalone component with @type='software' that isn't linked to an inventory-item.