Merge pull request #462 from mitre/448-poam

VULCAN-448: Add concept of compensating controls and POA&M statuses to Applicable - Does Not Meet status

app/controllers/rules_controller.rb

@@ -136,9 +136,9 @@ def rule_update_params
  rule_descriptions_attributes: %i[id description _destroy],
  additional_answers_attributes: %i[id additional_question_id answer],
  disa_rule_descriptions_attributes: %i[
- id vuln_discussion false_positives false_negatives documentable mitigations
- severity_override_guidance potential_impacts third_party_tools mitigation_control
- responsibility ia_controls _destroy
+ id vuln_discussion false_positives false_negatives documentable mitigations_available
+ mitigations poam_available poam severity_override_guidance potential_impacts
+ third_party_tools mitigation_control responsibility ia_controls _destroy
  ]
  )
  end

app/javascript/components/rules/forms/AdvancedRuleForm.vue

@@ -261,7 +261,10 @@ export default {
  "vuln_discussion",
  "false_positives",
  "false_negatives",
+ "mitigations_available",
  "mitigations",
+ "poam_available",
+ "poam",
  "severity_override_guidance",
  "potential_impacts",
  "third_party_tools",

app/javascript/components/rules/forms/BasicRuleForm.vue

@@ -117,7 +117,10 @@ export default {
  if (this.rule.status == "Applicable - Configurable") {
  return { displayed: ["vuln_discussion"], disabled: [] };
  } else if (this.rule.status == "Applicable - Does Not Meet") {
- return { displayed: ["mitigations"], disabled: [] };
+ return {
+ displayed: ["mitigations_available", "mitigations", "poam_available", "poam"],
+ disabled: [],
+ };
  } else if (this.rule.status == "Not Yet Determined") {
  return { displayed: ["vuln_discussion"], disabled: ["vuln_discussion"] };
  } else {

app/javascript/components/rules/forms/DisaRuleDescriptionForm.vue

@@ -149,9 +149,31 @@
  </b-form-invalid-feedback>
  </b-form-group>
 
+ <!-- mitigations available -->
+ <b-form-group
+ v-if="fields.displayed.includes('mitigations_available')"
+ :id="`ruleEditor-disa_rule_description-mitigations-available-group-${mod}`"
+ >
+ <b-form-checkbox
+ :id="`ruleEditor-disa_rule_description-mitigations-available-${mod}`"
+ :checked="description.mitigations_available"
+ switch
+ @input="
+ $root.$emit(
+ 'update:disaDescription',
+ rule,
+ { ...description, mitigations_available: $event },
+ index
+ )
+ "
+ >
+ Mitigations Available
+ </b-form-checkbox>
+ </b-form-group>
+
  <!-- mitigations -->
  <b-form-group
- v-if="fields.displayed.includes('mitigations')"
+ v-if="fields.displayed.includes('mitigations') && description.mitigations_available"
  :id="`ruleEditor-disa_rule_description-mitigations-group-${mod}`"
  >
  <label :for="`ruleEditor-disa_rule_description-mitigations-${mod}`">
@@ -189,6 +211,63 @@
  </b-form-invalid-feedback>
  </b-form-group>
 
+ <!-- poam available -->
+ <b-form-group
+ v-if="fields.displayed.includes('poam_available') && !description.mitigations_available"
+ :id="`ruleEditor-disa_rule_description-poam-available-group-${mod}`"
+ >
+ <b-form-checkbox
+ :id="`ruleEditor-disa_rule_description-poam-available-${mod}`"
+ :checked="description.poam_available"
+ switch
+ @input="
+ $root.$emit(
+ 'update:disaDescription',
+ rule,
+ { ...description, poam_available: $event },
+ index
+ )
+ "
+ >
+ POA&amp;M Available
+ </b-form-checkbox>
+ </b-form-group>
+
+ <!-- poam -->
+ <b-form-group
+ v-if="fields.displayed.includes('poam') && description.poam_available"
+ :id="`ruleEditor-disa_rule_description-poam-group-${mod}`"
+ >
+ <label :for="`ruleEditor-disa_rule_description-poam-${mod}`">
+ POA&amp;M
+ <i
+ v-if="tooltips['poam']"
+ v-b-tooltip.hover.html
+ class="mdi mdi-information"
+ aria-hidden="true"
+ :title="tooltips['poam']"
+ />
+ </label>
+ <b-form-textarea
+ :id="`ruleEditor-disa_rule_description-poam-${mod}`"
+ :value="description.poam"
+ :class="inputClass('poam')"
+ placeholder=""
+ :disabled="disabled || fields.disabled.includes('poam')"
+ rows="1"
+ max-rows="99"
+ @input="
+ $root.$emit('update:disaDescription', rule, { ...description, poam: $event }, index)
+ "
+ />
+ <b-form-valid-feedback v-if="hasValidFeedback('poam')">
+ {{ validFeedback["poam"] }}
+ </b-form-valid-feedback>
+ <b-form-invalid-feedback v-if="hasInvalidFeedback('poam')">
+ {{ invalidFeedback["poam"] }}
+ </b-form-invalid-feedback>
+ </b-form-group>
+
  <!-- severity_override_guidance -->
  <b-form-group
  v-if="fields.displayed.includes('severity_override_guidance')"
@@ -462,7 +541,10 @@ export default {
  "vuln_discussion",
  "false_positives",
  "false_negatives",
+ "mitigations_available",
  "mitigations",
+ "poam_available",
+ "poam",
  "severity_override_guidance",
  "potential_impacts",
  "third_party_tools",
@@ -495,6 +577,10 @@ export default {
  ].includes(this.rule.status)
  ? null
  : "Discuss how the system mitigates this vulnerability in the absence of a configuration that would eliminate it",
+ poam:
+ this.rule.status === "Applicable - Does Not Meet"
+ ? "Discuss the action of the POA&M in place for this vulnerability, including the start date and end date of the action"
+ : null,
  severity_override_guidance: null,
  potential_impacts:
  "List the potential operational impacts on a system when applying fix discussed in this control",

db/migrate/20220815180252_add_poam_to_disa_rule_descriptions.rb

@@ -0,0 +1,7 @@
+class AddPoamToDisaRuleDescriptions < ActiveRecord::Migration[6.1]
+ def change
+ add_column :disa_rule_descriptions, :mitigations_available, :boolean
+ add_column :disa_rule_descriptions, :poam_available, :boolean
+ add_column :disa_rule_descriptions, :poam, :text
+ end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2022_05_18_053923) do
+ActiveRecord::Schema.define(version: 2022_08_15_180252) do
 
  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@@ -154,6 +154,9 @@
  t.text "ia_controls"
  t.datetime "created_at", precision: 6, null: false
  t.datetime "updated_at", precision: 6, null: false
+ t.boolean "mitigations_available"
+ t.boolean "poam_available"
+ t.text "poam"
  t.index ["base_rule_id"], name: "index_disa_rule_descriptions_on_base_rule_id"
  end