feat!: updates AssessmentStep to AssessmentMethod #83
Conversation
trumant
left a comment
trumant
left a comment
There was a problem hiding this comment.
Quick review from my phone. Will take a deeper look on Monday morning
schemas/layer-4.cue
Outdated
| "corrupted-state": bool | ||
| // RemediationGuide is the URL to the documentation for this evaluation | ||
| "remediation-guide": string | ||
| // Assessments is a map of pointers to Assessment objects to establish idempotency |
There was a problem hiding this comment.
This looks to be a slice not a map
There was a problem hiding this comment.
Good catch! Found that in a couple places actually. Updated on the last commit.
schemas/layer-4.cue
Outdated
| // Methods is a slice of assessment methods that were executed during the test | ||
| methods: [...#AssessmentMethod] | ||
| // MethodsExecuted is the number of assessment methods that were executed during the test | ||
| "methods-executed"?: int @go(MethodExecuted) |
schemas/layer-4.cue
Outdated
| "target-object"?: _ | ||
| } | ||
| // TargetName is the name or ID of the resource or configuration that is to be changed | ||
| "target-name": string @go(TagertName) |
There was a problem hiding this comment.
| "target-name": string @go(TagertName) | |
| "target-name": string @go(TargetName) |
schemas/layer-4.cue
Outdated
| // Methods defines the assessment methods associated with the assessment | ||
| methods: [...#AssessmentMethod] | ||
| // MethodsExecuted is the number of assessment methods that were executed during the assessment | ||
| "methods-executed"?: int @go(MethodsExecuted) |
There was a problem hiding this comment.
Why is this data summarized here when it can be computed easily enough by the data consumer?
There was a problem hiding this comment.
Thanks for the feedback. You're right - the steps-counter field made sense for a standalone function, but with the new run field in the AssessmentMethod struct, it's redundant.
jpower432
force-pushed
the
break/assessment-method
branch
from
04bf5a4 to
fc8a208
Compare
Moves from AssessmentStep to AssessmentMethod to allow for metadata to be used to describe the check or test Signed-off-by: Jennifer Power <[email protected]>
The layer 4 schema is not up to date with the Go code implemented. This chanes updates the schema and uses evaluation data generated from L4 unit tests to verify againt the schema. Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: Jennifer Power <[email protected]>
Some of the comments around AssessementMethod require clarification around intended usage Signed-off-by: Jennifer Power <[email protected]>
To better show the impact of the change, the testdata was updated to an example from the pvtr baseline validator Signed-off-by: Jennifer Power <[email protected]>
This commit refactors the AssessmentMethod schema to use CUE's disjunction feature to formally define conditional logic for the run and result fields. The schema was allowing a state where run was true but a result was missing. Signed-off-by: Jennifer Power <[email protected]>
Co-authored-by: Travis Truman <[email protected]> Signed-off-by: Jennifer Power <[email protected]> Signed-off-by: Jennifer Power <[email protected]>
This change normalizes descriptions between different types defined in cue for layer4 and removes Go type language from the cue schema comments Signed-off-by: Jennifer Power <[email protected]>
jpower432
force-pushed
the
break/assessment-method
branch
from
fc8a208 to
d51aed2
Compare
This change refactors the work in the previous commits to allow for top-level metadata to support different types of assessment procedures and move the AssessmentSteps under AssessmentProcedure struct. The concept of "method" is updated to describe the procedure categorically for tools that run automated procedures. Signed-off-by: Jennifer Power <[email protected]>
jpower432
force-pushed
the
break/assessment-method
branch
from
d51aed2 to
d431b80
Compare
|
Add a commment to describe the refactor in d431b80 What Changed?
RationaleResults from a maintainer discussion where we decided the assessment logic should keep steps as they currently are, but adding procedure to allow for each assessment to contain multiple groups of steps. Points of Discussion
Open Questions
|
| "documentation-url"?: =~"^https?://[^\\s]+$" | ||
| "corrupted-state"?: bool | ||
| "assessment-results"?: [...#AssessmentResult] | ||
| // Name is the name of the control being evaluated |
There was a problem hiding this comment.
If we expect a tool will consume lower layers and produce output conforming with ControlEvaluation, should we consider a datetime here or elsewhere?
There was a problem hiding this comment.
I agree a timestamp would be valuable. The run-duration field in Assessments is useful, but I'm wondering if it would make more sense to include a start and end datetime and let the consumer calculate the duration as needed. WDYT?
| // RunDuration is the time it took to run the assessment | ||
| "run-duration"?: string @go(RunDuration) |
There was a problem hiding this comment.
Why do the typical data consumers care how long the assessment took? Or, put another way, what value does this data provide and to whome?
There was a problem hiding this comment.
Agree. This was part of the attempt to align the schema with the current struct in the Go library. I would propose start and end timestamps instead.
There was a problem hiding this comment.
I proposed something to address the run-duration field here - #112
| // RunDuration is the time it took to run the assessment | ||
| "run-duration"?: string @go(RunDuration) | ||
| // Value is the object that was returned during the assessment | ||
| value?: _ |
There was a problem hiding this comment.
this one's a bit legacy — was used to log details about the inspected value
| // Result communicates whether the assessment has been run, and if so, the outcome(s) | ||
| result: #Result |
There was a problem hiding this comment.
The "has been run" language here confuses me.
In what circumstances or use cases do we expect to have a document conforming to this schema that does not represent an Assessment activity that occurred in the past?
Is there value in having a layer4 payload that communicates an "intended" or "future" assessment?
There was a problem hiding this comment.
I think there are two use cases I was trying to capture:
- Currently, steps can have the state of
NotRunif a prior Assessment Step has failed and the process is halted. - Part of my intent/goal with adding the
Procedureswas to allow Layer4 to be used in pre-run state (essentially like a test plan) as an input to a tool to execute the tests and fill in the result information.
| // Result communicates whether the assessment has been run, and if so, the outcome(s) | ||
| result: #Result | ||
| // Message describes the result of the assessment | ||
| message: string |
There was a problem hiding this comment.
If it's describing the result, can we put it in #Result?
There was a problem hiding this comment.
I proposed something here to update the existing Result field - #113
| // ProcedureMethod describes method options that can be used to determine the results | ||
| #ProcedureMethod: "Test" | "Observation" |
There was a problem hiding this comment.
I think we need to clarify the language here. In my experience testing involves observation.
What value does this provide to the intended data consumers? How do you see them using this fact?
There was a problem hiding this comment.
I agree, these could be more descriptive. I wanted to allow categorization of the prodecures based on if the results were determined with automation or human judgement of behavior or state.
Perhaps:
| // ProcedureMethod describes method options that can be used to determine the results | |
| #ProcedureMethod: "Test" | "Observation" | |
| #EvaluationMethod: "Automated" | "Manual" |
How this would be used might depend on if we want to support Layer4 as an input. This allows categorization of the procedures so that they might be handled differently to determine the results.
| // Steps provides the address for the assessment steps executed | ||
| "steps"?: [...string] |
There was a problem hiding this comment.
How is a consumer of this data going to interpret, analyze or otherwise make use of this particular field?
| #Result: #ResultWhenRun | "Not Run" | ||
|
|
||
| // Result describes the outcome(s) of an assessment procedure when it is executed. | ||
| #ResultWhenRun: "Passed" | "Failed" | "Needs Review" | "Not Applicable" | "Unknown" |
There was a problem hiding this comment.
Contingent on the decision above on "has been run", but I'd propose removing #ResultWhenRun altogether
There was a problem hiding this comment.
I'm thinking a potential solution here is to capture whether a step, assessment, or procedure ran in different field like run and keep the results field focused on assessment outcomes. Perhaps this would align with your comment about adding message to results. WDYT?
|
Looks like this branch has drifted from main. I will perform a rebase and get it back into a reviewable state. |
|
Superseded by #117 |
3 participants
What Changed?
AssessmentMethodwas addedcueschema forlayer4was updated to validate the updated structure generate using the libraryThis removes the
AssessmentSteptype. Similar functionality can be acheived with theMethodExecutoronAssessmentMethod.Rationale
Adding AssessmentMethod supports a multi-method Assessment that is flexible enough to accommodate different types of procedures to complete a control requirement. This new structure also captures detailed information about each individual check. The goal of
AssessmentMethodis to be self-contained, allowing for composability and ensuring the solution retains the core functionality and structure of AssessmentSteps.Open Questions
Testing
A new file under
layer4/testdatawas added that is populated output from a Layer 4 structure generated by theTestEvaluateunit test. This was used to validate against the updated in thecueschema.cue vet -d "#Layer4" schemas/layer-4.cue layer4/testdata/good-evaluation.ymlIssues
Closes #73
Overlaps/Impact #23