Image has checksum (GSA#1053)

* test scaffolds added

* initial attempt at writing pass and fail content

* feature file

* revised target to appropriate place

* removed old target

* added in proper ns

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* AJ suggestion for more complete example

* added comments

---------

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

features/fedramp_extensions.feature

@@ -103,6 +103,7 @@ Examples:
   | has-system-id |
   | has-system-name-short |
   | has-user-guide |
+  | image-has-checksum |
   | implementation-status-has-remarks |
   | import-profile-has-available-document |
   | import-profile-resolves-to-fedramp-content |
@@ -337,6 +338,8 @@ Examples:
   | has-system-name-short-PASS.yaml |
   | has-user-guide-FAIL.yaml |
   | has-user-guide-PASS.yaml |
+  | image-has-checksum-FAIL.yaml |
+  | image-has-checksum-PASS.yaml |
   | implementation-status-has-remarks-FAIL.yaml |
   | implementation-status-has-remarks-PASS.yaml |
   | import-profile-has-available-document-FAIL.yaml |

src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml

@@ -1769,6 +1769,29 @@ compliance (e.g., Module in Process).</p>
       </remarks>
     </component>
 
+    <component uuid="11111111-2222-4000-8000-009000309803" type="software">
+      <title>Official container image for Debian Stable</title>
+      <description>
+        <p>FUNCTION: This container image is the base operating system used in the example. A notional CSP, like Awesome Cloud, would update and customize this image for business, reliability, and security needs.</p>
+      </description>
+      <prop name="asset-type" value="image"/>
+      <prop name="checksum" ns="http://fedramp.gov/ns/oscal" value="504931a74cb58330cafb9f59f5e553af3cc63af205dc955f7f80dc981276def0"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
+      <prop name="vendor-name" value="Software in the Public Interest"/>
+      <prop name="model" value="stable-slim"/>
+      <prop name="version" value="11"/>
+      <prop name="patch-level" value="Patch Level"/>
+      <link rel="validation" href="#11111111-2222-4000-8000-009000000002"/>
+      <link href="https://hub.docker.com/layers/library/debian/stable/images/sha256-e83913597ca9deb9d699316a9a9d806c2a87ed61195ac66ae0a8ac55089a84b9"/>
+      <status state="operational"/>
+      <responsible-role role-id="admin-unix">
+        <party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
+      </responsible-role>
+      <remarks>
+        <p>This example container image is for a non-commercial, community-maintained Linux distribution as a non-normative example with a currently valid checksum. See a link above to the example image metadata and technical details from its officially published location on the Docker Hub registry.</p>
+      </remarks>
+    </component>
+
 
     <component uuid="11111111-2222-4000-8000-009000400001" type="hardware">
       <title>[SAMPLE]Product</title>

src/validations/constraints/content/ssp-image-has-checksum-INVALID.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-model href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.3/oscal_ssp_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000500001" type="software">
+      <title>Operating System Image</title>
+      <description>
+        <p>An operating system image that runs a Linux instance</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
+      <prop name="asset-type" value="image"/>
+      <!--No property of value checksum defined-->
+      <!--<prop name="checksum" ns="http://fedramp.gov/ns/oscal" value="6c657e4a8583451384eef47e86cdd535b3589e2b857f8d956a3b8074fafc0b85"/>-->
+      <prop name="implementation-point" value="internal"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="incoming" value="C.3.5.1"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="information-type" class="outgoing" value="C.3.5.8"/>
+      <link rel="provided-by" href="#11111111-2222-4000-8000-009000100001"/>
+      <status state="operational"/>
+      <responsible-role role-id="administrator">
+        <prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal"/>
+        <prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000005" ns="http://fedramp.gov/ns/oscal"/>
+      </responsible-role>
+      <remarks>
+        <p>Insert detailed description of container image here</p>
+      </remarks>
+    </component>
+
+  </system-implementation>
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -590,6 +590,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>A FedRAMP SSP system implementation section MUST have at least two inventory items.</message>
             </expect>
+            <expect id="image-has-checksum" target="//component[@type='software' and ./prop[@name='asset-type' and @value='image']]" test="count(./prop[@name='checksum' and @ns='http://fedramp.gov/ns/oscal']) = 1" level="ERROR">
+                <formal-name>Container Image Has Checksum Property</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="insert-help-url-here"/>
+                <message>In a FedRAMP SSP, a component that describes a container or operating system image MUST define a checksum property.</message>
+            </expect>
             <expect id="information-type-has-class" target="component/prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']" test="exists(@class)" level="ERROR">
                 <formal-name>Information Type Has Class</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
@@ -639,6 +644,7 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#ports-protocols-and-services"/>
                 <message>A FedRAMP SSP's component MUST reference the existing component(s) that use it via network communication. However, component "{../@uuid}" references a nonexistent component "{@href}".</message>
             </expect>
+
         </constraints>
     </context>
 
@@ -840,5 +846,4 @@
             </matches>
         </constraints>
     </context>
-
 </metaschema-meta-constraints>

src/validations/constraints/unit-tests/image-has-checksum-FAIL.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for image-has-checksum
+  description: This test case validates the behavior of constraint image-has-checksum
+  content: ../content/ssp-image-has-checksum-INVALID.xml
+  expectations:
+    - constraint-id: image-has-checksum
+      result: fail

src/validations/constraints/unit-tests/image-has-checksum-PASS.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for image-has-checksum
+  description: This test case validates the behavior of constraint image-has-checksum
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: image-has-checksum
+      result: pass