Feature/shared responsibility model [WIP]

[wandmagic]

Committer Notes

Simply crafting a new example for the upcoming shared responsibility model.
this xml document compiles with the latest oscal xsd schema provided by the prototype shared responsibility branch. @iMichaela please take a look a the contents to be sure this is how this model is supposed to be used.

All Submissions:

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you squashed any non-relevant commits and commit messages? [instructions]
• Do all automated CI/CD checks pass?

Changes to Core Features:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your core changes, as applicable?
• Have you included examples of how to use your new feature(s)?

[iMichaela]

This work merged into develop will fail the oscal-cli validation.

[iMichaela]

Preliminary reviews: oscal_leveraged-example_ssp.xml is missing (see your branch), a component:

<component uuid="11111111-0000-4000-9001-000000000002" type="software">
            <title>Application</title>
            <description>
                <p>An application within the IaaS, exposed to SaaS customers and their downstream
                    customers.</p>
                <p>This Leveraged IaaS maintains aspects of the application.</p>
                <p>The Leveraging SaaS maintains aspects of their assigned portion of the
                    application.</p>
                <p>The customers of the Leveraging SaaS maintain aspects of their sub-assigned
                    portions of the application.</p>
            </description>
            <prop name="implementation-point" value="internal" />
            <status state="operational" />
            <responsible-role role-id="admin">
                <party-uuid>11111111-0000-4000-9000-100000000001</party-uuid>
            </responsible-role>
        </component>

The ssp is also implementing a different control than the one in the previous (1.3.0 content version, using OSCAL 1.1.2 version) . It appears that the conversion was not done with the converter @wandmagic proposed.

Also, AC-1 control is not something that can be provided and inherited. None of the policy controls can.

The file has no requirement or statement that shows leveraged data. This is not a complete file.

[wandmagic]

Thanks for your comments, i was largely just composing the shape such that the xml document would validate against the oscal-cli and xsd documents to start, is it possible to add a constraint so that the oscal-cli can warn the user against inheriting policy controls somehow?

also it would be convenient if a new branch could be made that i can re-target this PR to a branch that is not in develop, as it is a WIP

[iMichaela]

@wandmagic :

1. Please use the prototype-shared-responsibility-examples branch.
2. There is no need to implement warnings regarding the -1 policy controls. I must have wrongly understood that the upgraded examples are generated with the OSCAL content upgrader you generated. It would be important to use the existing examples so users can do a diff to easier understand whereto differences are. We can talk if you want and have time.
3. I can provide files updated by hand so the converter can be tested against those files.

[iMichaela]

The PR was never completed. Closing it.