Merge pull request #15 from yana1205/yana/heterogeneous

add example usage of heterogeneous PVPs
oscal-compass · Jun 4, 2024 · 7bdc7ac · 7bdc7ac
2 parents 2b0081c + 9721932
commit 7bdc7ac
Show file tree

Hide file tree

Showing 16 changed files with 1,763 additions and 10 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -172,6 +172,15 @@
         "type": "Hex High Entropy String",
         "verified_result": null
       }
+    ],
+    "plugins_public/tests/data/heterogeneous/auditree.json": [
+      {
+        "hashed_secret": "1e5c2f367f02e47a8c160cda1cd9d91decbac441",
+        "is_verified": false,
+        "line_number": 12,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
     ]
   },
   "version": "0.13.1+ibm.61.dss",

diff --git a/c2p/tools/viewer/template.py b/c2p/tools/viewer/template.py
@@ -23,7 +23,9 @@
 
 {% for rule_result in control_result.rule_results %}
 {% if rule_result.subjects|length > 0 %}
-Rule {{ rule_result.id}}: {{ rule_result.description}}
+Rule `{{ rule_result.id}}`:
+- {{ rule_result.description}}
+
 <details><summary>Details</summary>
 {% for subject in rule_result.subjects %}
 

diff --git a/c2p/tools/viewer/viewer.py b/c2p/tools/viewer/viewer.py
@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from typing import List, Optional
+from typing import Dict, List, Optional
 
 from jinja2 import Template
 from pydantic import BaseModel
@@ -73,15 +73,22 @@ def get_pass_fail_icon(result):
 
 
 def render(assessment_results: AssessmentResults, component_definition: ComponentDefinition) -> str:
-    rule_sets = []
+    rule_sets_map: Dict[str, List[Dict[str, str]]] = {}
     for component in component_definition.components:
         if is_component_type_validation(component.type):
-            rule_sets = rule_sets + group_props_by_remarks(component)
+            rule_sets_map[component.title] = group_props_by_remarks(component)
 
     components: List[DefinedComponent] = list(
         filter(lambda x: not is_component_type_validation(x.type), component_definition.components)
     )
 
+    def get_pvp_rule_pair(rule_id):
+        for pvp, rule_sets in rule_sets_map.items():
+            for rule in rule_sets:
+                if rule['Rule_Id'] == rule_id:
+                    return (pvp, rule)
+        return None, None
+
     render_components = []
     for component in components:
         rendered_component = RenderedComponent(title=component.title)
@@ -91,9 +98,9 @@ def render(assessment_results: AssessmentResults, component_definition: Componen
                 control_result = ControlResult(id=control_id)
                 for prop in filter(lambda x: x.name == 'Rule_Id', imple_req.props):
                     rule_id = prop.value
-                    rule_set = next(filter(lambda x: x['Rule_Id'] == rule_id, rule_sets), None)
+                    pvp, rule_set = get_pvp_rule_pair(rule_id)
                     if rule_set != None:
-                        rule_result = RuleResult(id=rule_id, description=rule_set['Check_Description'])
+                        rule_result = RuleResult(id=f'{rule_id} ({pvp})', description=rule_set['Check_Description'])
                         o = find_observation(assessment_results.results[0].observations, rule_set['Check_Id'])
                         if o != None:
                             for subject in o.subjects:

diff --git a/docs/public/heterogeneous.md b/docs/public/heterogeneous.md
@@ -0,0 +1,47 @@
+## Work on heterogeneous PVPs
+
+Usecase of security checks against system (Github and Managed Kubernetes clusters) by multiple PVPs (Auditree, Kyverno, and OCM Policy).
+
+![heterogeneous](https://github.com/oscal-compass/compliance-to-policy/assets/113283236/bb64f81a-986c-41fa-83c6-4e7e9165af76)
+
+#### Steps
+1. (Optional) Create OSCAL Component Defintion including multiple PVPs as validation components
+    - [component-definition.csv](/plugins_public/tests/data/heterogeneous/component-definition.csv)
+1. Generate PVP policies from the OSCAL Component Definition
+    ```
+    python samples_public/heterogeneous/compliance_to_policy.py \
+      -c ./plugins_public/tests/data/heterogeneous/component-definition.json \
+      -o ./policies
+    ```
+    1. Policies for each PVP are generated
+        ```
+        $ tree -L 2 policies
+        policies
+        ├── auditree
+        │   └── auditree.json
+        ├── kyverno
+        │   ├── allowed-base-images
+        │   └── disallow-capabilities
+        └── ocm
+            ├── kustomization.yaml
+            ├── parameters.yaml
+            ├── policy-deployment
+            ├── policy-disallowed-roles
+            ├── policy-generator.yaml
+            └── policy-high-scan
+        ```
+1. (Optional) Collect policy validation results from system
+    - Example all PVP results are located in [/plugins_public/tests/data](/plugins_public/tests/data).
+1. Generate OSCAL Assessment Results from PVP results 
+    ```
+    python samples_public/heterogeneous/result_to_compliance.py \
+      -c ./plugins_public/tests/data/heterogeneous/component-definition.json \
+      -r ./plugins_public/tests/data > assessment-results.json
+    ```
+1. OSCAL Assessment Results is not human readable format. You can see the merged report in markdown by a quick viewer.
+    ```
+    c2p tools viewer \
+      -cdef ./plugins_public/tests/data/heterogeneous/component-definition.json \
+      -ar assessment-results.json
+    ```
+    e.g. [result.md](/docs/public/heterogeneous.result.md)