octool 0.0.5 → 0.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 03d4e6cdc68059584e26dd26983e2085aed2bb5593b1bb78d5307bc9938401d7
-  data.tar.gz: 15f8bf0c448fb1e1091f7e6ab78fbffba50925a2a7799dd66ff939674d135cea
+  metadata.gz: 35ad41804c6a3eb09cde544a272ea3b6e9108355ce0d32799846335e6d3d6345
+  data.tar.gz: 8573306612f8760275735e38e12e4295ccfec60ed731569558d7386063086850
 SHA512:
-  metadata.gz: a944191a813ab2ed2d122862466d79e65df9230e64ade9e73b83aefb8fcb98069bfaba0fec0876c539f63b7f229a16311b0721bd81eeb17b49b7564da2995051
-  data.tar.gz: e3b99bc6618b4192ba99a570bf6dd6a364c52540b73b39d80817a43e7364fdaf730596578756149e60cda5c0e56d3e75f643abdb11838a983f1d8943df9f0712
+  metadata.gz: 70a54c2b4a2224ee8933f2a09dd32d252c0ef18170a0e129fdeab5387eea01e42574ed40107efd80a5ca28648e9c0d52afa0d996d227d0fa28e0bfa3173c96e6
+  data.tar.gz: 352859097909847bf476ad7ab307eed31764ee0a41a388da32d9f112c47bacdacf155636ac7fb5e7eea89b9ba3c61348bf301459f45e81e2dca48b2e447b91b9

data/bin/octool

@@ -21,7 +21,7 @@ class App
     def self.find_config(args)
         path = args.first || OCTool::DEFAULT_CONFIG_FILENAME
         path = File.join(path, OCTool::DEFAULT_CONFIG_FILENAME) if File.directory?(path)
-        path
+        File.expand_path(path)
     end
 
     program_desc 'Open Compliance Tool'
@@ -51,6 +51,23 @@ class App
         v.default_command :data
     end
 
+    desc 'export data to CSV'
+    arg_name 'path/to/system/config.yaml'
+    command :csv do |csv|
+        csv.desc 'where to store outputs'
+        csv.default_value data_dir
+        csv.long_desc 'Default output directory respects env vars TMPDIR, TMP, TEMP'
+        csv.arg_name 'path/to/output/dir'
+        csv.flag [:d, :dir]
+
+        csv.action do |global_options, options, args|
+            export_dir = options[:dir]
+            config_file = find_config(args)
+            system = OCTool::Parser.new(config_file).load_system
+            system.dump export_dir
+        end
+    end
+
     desc 'validate data and generate System Security Plan'
     arg_name 'path/to/system/config.yaml'
     command :ssp do |s|
@@ -92,12 +109,12 @@ class App
         # Error logic here
         # Return false to skip default error handling.
         if ENV['DEBUG']
-            STDERR.puts exception.message
-            STDERR.puts exception.backtrace
+            warn exception.message
+            warn exception.backtrace
             pp exception
             false
         end
-        STDERR.puts '[FAIL]'
+        warn '[FAIL]'
         true
     end
 end

data/lib/octool.rb

@@ -3,12 +3,13 @@
 require 'octool/version.rb'
 
 # Built-ins.
+require 'csv'
+require 'json'
 require 'pp'
 
 # 3rd-party libs.
 require 'kwalify'
 require 'kwalify/util/hashlike'
-require 'recursive-open-struct'
 
 # OCTool libs.
 require 'octool/constants'

data/lib/octool/constants.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module OCTool
-    LATEST_SCHEMA_VERSION = 'v1.0.1'
+    LATEST_SCHEMA_VERSION = 'v1.0.2'
     BASE_SCHEMA_DIR = File.join(File.dirname(__FILE__), '..', '..', 'schemas').freeze
     ERB_DIR = File.join(File.dirname(__FILE__), '..', '..', 'templates').freeze
     DEFAULT_CONFIG_FILENAME = 'config.yaml'

data/lib/octool/parser.rb

@@ -4,6 +4,7 @@ module OCTool
     # Custom error to show validation errors.
     class ValidationError < StandardError
         attr_reader :errors
+
         def initialize(path, errors)
             @path = path
             @errors = errors
@@ -40,18 +41,17 @@ module OCTool
         end
 
         def validate_file(path, type)
-            parser = kwalify_parser(type)
-            data = parser.parse_file(path)
-            data['type'] = type
-            errors = parser.errors
+            kwalify = kwalifyer(type)
+            data = kwalify.parse_file(path)
+            errors = kwalify.errors
             raise ValidationError.new(path, errors) unless errors.empty?
 
-            RecursiveOpenStruct.new(data, recurse_over_arrays: true, preserve_original_keys: true)
+            data
         rescue SystemCallError, Kwalify::SyntaxError, ValidationError => e
             die e.message
         end
 
-        def kwalify_parser(type)
+        def kwalifyer(type)
             schema_file = File.join(schema_dir, "#{type}.yaml")
             schema = Kwalify::Yaml.load_file(schema_file)
             validator = Kwalify::Validator.new(schema)
@@ -65,7 +65,7 @@ module OCTool
         def schema_version
             @schema_version ||= Kwalify::Yaml.load_file(@config_file)['schema_version']
         rescue StandarError
-            STDERR.puts '[FAIL] Unable to read schema_version'
+            warn '[FAIL] Unable to read schema_version'
             exit(1)
         end
 
@@ -76,11 +76,45 @@ module OCTool
             sys = System.new(config)
             config['includes'].each do |inc|
                 path = File.join(base_dir, inc['path'])
-                sys.data << validate_file(path, inc['type'])
+                sys.data << include_data(path, inc['type'])
             end
             sys
         end
 
+        def include_data(path, type)
+            data = validate_file(path, type)
+            data['type'] = type
+            method("parsed_#{type}".to_sym).call(data)
+        end
+
+        def parsed_component(component)
+            component['attestations'].map! do |a|
+                # Add a "component_key" field to each attestation.
+                a['component_key'] = component['component_key']
+                a['satisfies'].map! do |s|
+                    # Add "attestation_key" to each control satisfied by this attestation.
+                    s['attestation_key'] = a['summary']
+                    # Add "component_key" to each control satisfied by this attestation.
+                    s['component_key'] = component['component_key']
+                    s
+                end
+                a
+            end
+            component
+        end
+
+        def parsed_standard(standard)
+            # Add 'standard_key' to each control family and to each control.
+            standard['families'].map! { |f| f['standard_key'] = standard['standard_key']; f }
+            standard['controls'].map! { |c| c['standard_key'] = standard['standard_key']; c }
+            standard
+        end
+
+        def parsed_certification(cert)
+            cert['requires'].map! { |r| r['certification_key'] = cert['certification_key']; r }
+            cert
+        end
+
         alias load_system validate_data
         alias load_file validate_file
     end

data/lib/octool/ssp.rb

@@ -18,16 +18,17 @@ module OCTool
                 Paru::Pandoc.new
             end
         rescue UncaughtThrowError
-            STDERR.puts '[FAIL] octool requires pandoc to generate the SSP. Is pandoc installed?'
+            warn '[FAIL] octool requires pandoc to generate the SSP. Is pandoc installed?'
             exit(1)
         end
 
         def generate
             unless File.writable?(@output_dir)
-                STDERR.puts "[FAIL] #{@output_dir} is not writable"
+                warn "[FAIL] #{@output_dir} is not writable"
                 exit(1)
             end
             render_template
+            write_acronyms
             write 'pdf'
             write 'docx'
         end
@@ -41,18 +42,30 @@ module OCTool
             puts 'done'
         end
 
+        def write_acronyms
+            return unless @system.acronyms
+
+            out_path = File.join(@output_dir, 'acronyms.json')
+            File.open(out_path, 'w') { |f| f.write JSON.pretty_generate(@system.acronyms) }
+            ENV['PANDOC_ACRONYMS_ACRONYMS'] = out_path
+        end
+
         # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
         def write(type = 'pdf')
             out_path = File.join(@output_dir, "ssp.#{type}")
             print "Building #{out_path} ... "
             converter = pandoc.configure do
-                from 'markdown'
+                from 'markdown+autolink_bare_uris'
                 to type
                 pdf_engine 'lualatex'
                 toc
                 toc_depth 3
                 number_sections
                 highlight_style 'pygments'
+                filter 'pandoc-acronyms' if ENV['PANDOC_ACRONYMS_ACRONYMS']
+                # https://en.wikibooks.org/wiki/LaTeX/Source_Code_Listings#Encoding_issue
+                # Uncomment the following line after the "listings" package is compatible with utf8
+                # listings
             end
             output = converter << File.read(md_path)
             File.new(out_path, 'wb').write(output)

data/lib/octool/system.rb

@@ -6,73 +6,79 @@ module OCTool
         attr_accessor :config
         attr_accessor :data
 
+        TABLE_NAMES = [
+            'components',
+            'satisfies',
+            'attestations',
+            'standards',
+            'controls',
+            'families',
+            'certifications',
+            'requires',
+        ].freeze
+
         def initialize(config)
             @config = config
             @data = []
         end
 
+        def acronyms
+            @acronyms ||= config['acronyms']
+        end
+
         def certifications
-            @certifications ||= @data.select { |e| e.type == 'certification' }
+            @certifications ||= data.select { |e| e['type'] == 'certification' }
         end
 
         def components
-            @components ||= @data.select { |e| e.type == 'component' }
+            @components ||= data.select { |e| e['type'] == 'component' }
         end
 
         def standards
-            @standards ||= @data.select { |e| e.type == 'standard' }
+            @standards ||= data.select { |e| e['type'] == 'standard' }
         end
 
         # List of all attestations claimed by components in the system.
         def attestations
-            @attestations ||= begin
-                @attestations = []
-                components.each do |c|
-                    # Add a "component_key" field to each attestation.
-                    c.attestations.map! { |e| e['component_key'] = c.component_key; e }
-                    @attestations << c.attestations
-                end
-                @attestations.flatten!
-            end
+            @attestations ||= components.map { |c| c['attestations'] }.flatten
         end
 
         # List of all coverages.
         def satisfies
-            @satisfies ||= begin
-                @satisfies = []
-                attestations.each do |a|
-                    # Add an "attestation_key" field to each cover.
-                    a.satisfies.map! { |e| e['component_key'] = a.commponent_key; e }
-                    a.satisfies.map! { |e| e['attestation_key'] = a.attestation_summary; e }
-                    @satisfies << a.satisfies
-                end
-                @satisfies.flatten!
-            end
+            @satisfies ||= attestations.map { |a| a['satisfies'] }.flatten
         end
 
         # List of all controls defined by standards in the system.
         def controls
-            @controls || begin
-                @controls = []
-                standards.each do |s|
-                    # Add a "standard_key" field to each control.
-                    s.controls.map! { |e| e['standard_key'] = s.standard_key; e }
-                    @controls << s.controls
-                end
-                @controls.flatten!
-            end
+            @controls ||= standards.map { |s| s['controls'] }.flatten
         end
 
         # List of all families defined by standards in the system.
         def families
-            @families || begin
-                @families = []
-                standards.each do |s|
-                    # Add a "standard_key" field to each family.
-                    s.families.map! { |e| e['standard_key'] = s.standard_key; e }
-                    @families << s.families
-                end
-                @families.flatten!
+            @families ||= standards.map { |s| s['families'] }.flatten
+        end
+
+        # List of required controls for all certifications.
+        def requires
+            @requires ||= certifications.map { |c| c['requires'] }.flatten
+        end
+
+        def dump(writable_dir)
+            TABLE_NAMES.each do |table|
+                write_csv method(table.to_sym).call, File.join(writable_dir, "#{table}.csv")
+            end
+        end
+
+        # Convert array of hashes into a CSV.
+        def write_csv(ary, filename)
+            # Throw away nested hashes. The parser already created separate tables for them.
+            ary = ary.map { |e| e.reject { |_, val| val.is_a?(Enumerable) } }
+
+            warn "[INFO] write #{filename}"
+            CSV.open(filename, 'wb') do |csv|
+                column_names = ary.first.keys
+                csv << column_names
+                ary.each { |hash| csv << hash.values_at(*column_names) }
             end
         end
     end

data/lib/octool/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OCTool
-    VERSION = '0.0.5'
+    VERSION = '0.0.10'
 end

data/octool.rdoc

@@ -1,6 +1,6 @@
 == octool - Open Compliance Tool
 
-v0.0.5
+v0.0.10
 
 === Global Options
 === --help
@@ -14,6 +14,18 @@ Display the program version
 
 
 === Commands
+==== Command: <tt>csv  path/to/system/config.yaml</tt>
+export data to CSV
+
+
+===== Options
+===== -d|--dir path/to/output/dir
+
+where to store outputs
+
+[Default Value] /tmp
+Default output directory respects env vars TMPDIR, TMP, TEMP
+
 ==== Command: <tt>help  command</tt>
 Shows a list of commands or help for one command
 

data/schemas/v1.0.2/certification.yaml

@@ -0,0 +1,27 @@
+---
+type: map
+class: Certification
+mapping:
+    certification_key:
+        desc: A short, unique identifier for this certification.
+        required: true
+        type: str
+        unique: true
+    name:
+        desc: A human-friendly name for the certification.
+        required: true
+        type: str
+    requires:
+        desc: List of control IDs required by the certification.
+        required: true
+        type: seq
+        sequence:
+            - type: map
+              class: ControlID
+              mapping:
+                  standard_key:
+                      required: true
+                      type: str
+                  control_key:
+                      required: true
+                      type: str

data/schemas/v1.0.2/component.yaml

@@ -0,0 +1,60 @@
+---
+type: map
+class: Component
+mapping:
+    name:
+        desc: Human-friendly name to appear in the SSP.
+        type: str
+        required: true
+    component_key:
+        desc: Unique identifier for referential integrity.
+        type: str
+        required: true
+    description:
+        desc: A paragraph or two that describes the component.
+        type: str
+        required: true
+    attestations:
+        desc: List of attestations.
+        type: seq
+        sequence:
+            - type: map
+              class: Attestation
+              mapping:
+                  summary:
+                      desc: Arbitrary verbiage to appear in SSP as a TLDR.
+                      type: str
+                      required: true
+                  status:
+                      desc: To what extent is this attestation "done"?
+                      type: str
+                      required: true
+                      enum:
+                          - partial
+                          - complete
+                          - planned
+                          - none
+                  date_verified:
+                      desc: When was this last verified?
+                      type: date
+                      required: false
+                  satisfies:
+                      desc: List of control IDs covered by this attestation.
+                      type: seq
+                      required: false
+                      sequence:
+                          - type: map
+                            class: ControlID
+                            mapping:
+                                standard_key:
+                                    type: text
+                                    required: true
+                                control_key:
+                                    type: text
+                                    required: true
+                  narrative:
+                      desc: |
+                          Explain how attestation satisfies the indicated controls.
+                          The content should be in markdown format.
+                      type: str
+                      required: true

data/schemas/v1.0.2/config.yaml

@@ -0,0 +1,111 @@
+---
+type: map
+class: Config
+mapping:
+    schema_version:
+        desc: |
+            Must match one of the schema directories in the octool source.
+        required: true
+        type: str
+
+    logo:
+        desc: Image for title page.
+        required: false
+        type: map
+        class: Logo
+        mapping:
+            path:
+                desc: Path to image.
+                type: str
+                required: true
+            width:
+                desc: Width of image, such as "1in" or "254mm"
+                type: str
+                required: true
+
+    name:
+        desc: Human-friendly to appear in the SSP.
+        required: true
+        type: str
+
+    overview:
+        desc: Human-friendly description to appear in the SSP.
+        required: true
+        type: str
+
+    maintainers:
+        desc: Who should somebody contact for questions about this SSP?
+        required: true
+        type: seq
+        sequence:
+            - type: str
+
+    metadata:
+        desc: Optional metadata.
+        required: false
+        type: map
+        class: Metadata
+        mapping:
+            abstract:
+                desc: Abstract appears in document metadata.
+                required: false
+                type: str
+            description:
+                desc: Description appears in document metadata.
+                required: false
+                type: str
+            '=':
+                desc: Arbitrary key:value pair of strings.
+                type: str
+
+    includes:
+        desc: Additional files to include from the system repo.
+        required: true
+        type: seq
+        sequence:
+            - type: map
+              class: Include
+              mapping:
+                  type:
+                      required: true
+                      type: str
+                      enum:
+                          - certification
+                          - component
+                          - standard
+                  path:
+                      desc: Path must be relative within the repo.
+                      required: true
+                      type: str
+
+    acronyms:
+        desc: |
+            List of acronyms to be referenced in the doc.
+
+            The acronyms follow the forms and usage described by the pandoc filter
+            https://gitlab.com/mirkoboehm/pandoc-acronyms
+
+            If your config.yaml includes acronyms, the filter is automatically invoked.
+        required: false
+        type: map
+        mapping:
+            '=':
+                desc: |
+                    Acronym as used in the doc source, such as "bba".
+                    The source usually refers to the acronym with syntax "[!bba]",
+                    but other syntax forms are possible (see upstream doc).
+                type: map
+                class: Acronym
+                mapping:
+                    shortform:
+                        desc: The short form of the expanded acronym, such as "BBA".
+                        required: true
+                        type: str
+                    longform:
+                        desc: |
+                            The expanded form of the abbreviation, such as "Beer Brewing Attitude".
+                            The first instance of "[!bba]" in the doc is automatically expanded to
+                            "<longform> (<shortform>)".
+                            Example: "[!bba]" expands to "Beer Brewing Attitude (BBA)".
+                        required: true
+                        type: str

data/schemas/v1.0.2/standard.yaml

@@ -0,0 +1,50 @@
+---
+type: map
+class: Standard
+mapping:
+    name:
+        desc: Human-friendly name to appear in SSP.
+        type: str
+        required: true
+
+    standard_key:
+        desc: Unique ID to use within YAML files.
+        type: str
+        required: true
+
+    families:
+        desc: Optional list of control families.
+        type: seq
+        required: false
+        sequence:
+            - type: map
+              class: ControlFamily
+              mapping:
+                  family_key:
+                      desc: Unique ID of the family
+                      type: str
+                      unique: true
+                  name:
+                      desc: Human-friendly name of the family
+                      type: str
+    controls:
+        desc: Mandatory list of controls defined by the standard.
+        required: true
+        type: seq
+        sequence:
+            - type: map
+              class: Control
+              mapping:
+                  control_key:
+                      type: str
+                      unique: true
+                      required: true
+                  family_key:
+                      type: str
+                      required: false
+                  name:
+                      type: str
+                      required: true
+                  description:
+                      type: str
+                      required: true

data/templates/ssp.erb

@@ -1,29 +1,28 @@
 ---
-<% if @system.config.logo -%>
+<% if @system.config['logo'] -%>
 title: |
-    ![](<%= @system.config.logo.path -%>){width=<%= @system.config.logo.width %>}
+    ![](<%= @system.config['logo']['path'] -%>){width=<%= @system.config['logo']['width'] %>}
 
-    <%= @system.config.name %>
+    <%= @system.config['name'] %>
 <% else %>
-title: "<%= @system.config.name -%>"
+title: "<%= @system.config['name'] -%>"
 <% end %>
 
 subtitle: "System Security Plan"
 
 author:
-<% @system.config.maintainers.each do |maintainer| %>
+<% @system.config['maintainers'].each do |maintainer| %>
     - <%= maintainer -%>
 <% end %>
 
 absract: |
-    <%= @system.config.metadata.abstract rescue 'None' %>
+    <%= @system.config['metadata']['abstract'] rescue 'None' %>
 
 description: |
-    <%= @system.config.metadata.description rescue 'None' %>
+    <%= @system.config['metadata']['description'] rescue 'None' %>
 
 fontsize: 11pt
 mainfont: NotoSans
-#monofont: NotoSansMono-ExtraCondensedLight
 monofont: NotoSansMono-ExtraCondensed
 mainfontoptions:
     - Numbers=Lowercase
@@ -52,52 +51,133 @@ geometry:
     - left=2cm
     - right=2cm
     - bottom=2cm
+
+header-includes:
+    - |
+        ```{=latex}
+        % https://ctan.org/pkg/metalogo?lang=en
+        \usepackage{metalogo}
+        ```
+    - |
+        ```{=latex}
+        % https://github.com/jgm/pandoc/wiki/Pandoc-Tricks#left-aligning-tables-in-latex
+        \usepackage[margins=raggedright]{floatrow}
+        ```
+    - |
+        ```{=latex}
+        % https://github.com/jgm/pandoc/wiki/Pandoc-Tricks#definition-list-terms-on-their-own-line-in-latex
+        % "Clone" the original \item command
+        \let\originalitem\item
+
+        % Redefine the \item command using the "clone"
+        \makeatletter
+        \renewcommand{\item}[1][\@nil]{%
+            \def\tmp{#1}%
+            \ifx\tmp\@nnil\originalitem\else\originalitem[#1]\hfill\par\fi}
+        \makeatother
+        ```
+    - |
+        ```{=latex}
+        % The are at least two ways to configure how LaTeX floats figures.
+        %
+        % 1. One approach is described in section 17.2 of
+        %    http://tug.ctan.org/tex-archive/info/epslatex/english/epslatex.pdf
+        %    However, the approach described there requires to teach people
+        %    how to write LaTeX cross-references in markdown.
+        %
+        % 2. Force figures, listings, etc., to float "[H]ere".
+        %    This is a LaTeX anti-pattern because it causes large gaps of whitespace on some pages.
+        %    This approach avoids having to teach people to create LaTeX cross-references.
+        %    https://tex.stackexchange.com/a/101726
+        %
+        % Use option 2.
+        \usepackage{float}
+        \floatplacement{figure}{H}
+        ```
 ---
 
-# <%= @system.config.name %>
+# Introduction
 
-## Overview
+## About this document
+
+A System Security Plan (SSP) is a document to describe security controls in use
+on an information system and their implementation. An SSP provides:
+
+- Narrative of security control implementation
+- Description of components and services
+- System data flows and authorization boundaries
 
-<%= @system.config.overview %>
 
 ## Standards
 
-This System Security Plan (SSP) addresses these standards:
+This SSP draws from these standards:
 
 <% @system.standards.each do |s| -%>
-- <%= s.name %>
+- <%= s['name'] %>
 <% end %>
 
 The full copy of each standard is included in the appendix.
 
 
-## Components
+## Certifications
 
-<% @system.components.each do |c| %>
-### <%= c.name %>
+A certification is a logical grouping of controls that are of interest to
+a given subject. A particular certification does not necessarily target all
+controls from a standard, nor does a particular certification need to draw
+from a single standard.
 
-<%= c.description %>
+This SSP addresses these certifications:
+
+<% @system.certifications.each do |c| -%>
+- <%=c['name']%>
+
+<% c['requires'].each do |r| -%>
+    - <%=r['standard_key']-%> control <%=r['control_key']%>
+<% end -%>
 
-<% if c.attestations.empty? %>
-_The organization has not yet documented attestations for this component_.
-<% else %>
-The organization offers the following attestations for this component.
 <% end %>
 
-<% c.attestations.each do |a| %>
-####  <%= a.summary %>
 
-Status: <%= a.status %>
+# <%= @system.config['name'] %>
+
+## Overview
 
-Date verified: <%= a.date_verified if a.date_verified %>
+<%= @system.config['overview'] %>
 
-Satisfies:
 
-<% a.satisfies.each do |cid| -%>
-- <%= cid.standard_key %> control <%= cid.control_key %>
-<% end -%>
+## Components
+
+<% @system.components.each do |c| %>
+### <%= c['name'] %>
 
-<%= a.narrative %>
+<%= c['description'] %>
+
+<% if c['attestations'].empty? %>
+_The organization has not yet documented attestations for this component_.
+<% else %>
+The organization offers the following attestations for this component.
+<% end %>
+
+<% c['attestations'].compact.each do |a| %>
+####  <%= a['summary'] %>
+
++----------+---------------+--------------------------------------------------------------+
+| Status   | Date verified | Satisfies                                                    |
++==========+===============+==============================================================+
+<%
+s = a['satisfies'][0]
+verbiage = sprintf('%-58s', [s['standard_key'], 'control', s['control_key']].join(' '))
+-%>
+| <%=sprintf('%-8s', a['status'])-%> | <%=sprintf('%-13s', a['date_verified'])-%> | - <%=verbiage-%> |
+<%
+a['satisfies'][1..].each do |s|
+    verbiage = sprintf('%-58s', [s['standard_key'], 'control', s['control_key']].join(' '))
+-%>
+|          |               | - <%=verbiage-%> |
+<%  end -%>
++----------+---------------+--------------------------------------------------------------+
+
+<%= a['narrative'] %>
 
 <% end %>
 <% end %>
@@ -106,25 +186,60 @@ Satisfies:
 # Appendix: Standards
 
 <% @system.standards.each do |s| %>
-## <%=s.name %>
+## <%=s['name'] %>
 
-<% if s.families and !s.families.empty? %>
+<% if s['families'] and !s['families'].empty? %>
 ### Families
 
-<% s.families.each do |family| %>
-<%= family.family_key %>
-  ~ <%= family.name %>
+<%=s['name']-%> categorizes controls into logical groups called families.
 
-<% end %>
+| Family abbreviation        | Family name          |
+| -------------------------- | -------------------- |
+<% s['families'].each do |family| -%>
+| <%=family['family_key']-%> | <%=family['name']-%> |
+<% end -%>
+
+  : Control families for <%=s['name']%>
 
 <% end %>
 
 ### Controls
 
-<% s.controls.each do |c| %>
-#### Control <%= c.control_key -%>: <%= c.name %>
+<% s['controls'].each do |c| %>
+#### Control <%= c['control_key'] -%>: <%= c['name'] %>
 
-<%= c.description %>
+<%= c['description'] %>
 
 <% end %>
 <% end %>
+
+
+# Colophon
+
+This document was typeset in NotoSans with \LuaTeX\.
+The main body font is 11-point, and
+code snippets use NotoSansMono-ExtraCondensed.
+
+The Noto family of fonts is freely available and developed by Google,
+which describes Noto as:
+
+> When text is rendered by a computer, sometimes characters are displayed as
+> "tofu". They are little boxes to indicate your device doesn't have a
+> font to display the text.
+>
+> Google has been developing a font family called Noto, which aims to support
+> all languages with a harmonious look and feel. Noto is Google's answer to
+> tofu. The name noto is to convey the idea that Google's goal is to see
+> "no more tofu". Noto has multiple styles and weights, and is freely
+> available to all.
+
+Core tools used to produce this document:
+
+- [Docker](https://www.docker.com/) provides a repeatable environment in
+  which to run the tools.
+- [OCTool](https://github.com/jumanjihouse/octool)
+  provides a schema and wrapper to express compliance data as configuration.
+- [Pandoc](https://pandoc.org/) converts extended markdown to PDF output.
+- [Python](https://www.python.org/) is a core language for automation.
+- [Ruby](https://www.ruby-lang.org/en/) is a core language for automation.
+- [TeXLive](https://www.tug.org/texlive/) provides the \TeX\ family of tools.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: octool
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.10
 platform: ruby
 authors:
 - Paul Morgan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-18 00:00:00.000000000 Z
+date: 2020-05-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -93,61 +93,61 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 2.19.0
 - !ruby/object:Gem::Dependency
-  name: kwalify
+  name: json_pure
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.7.2
+        version: 2.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.7.2
+        version: 2.3.0
 - !ruby/object:Gem::Dependency
-  name: pandoc-ruby
+  name: kwalify
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.4
+        version: 0.7.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.4
+        version: 0.7.2
 - !ruby/object:Gem::Dependency
-  name: paru
+  name: pandoc-ruby
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.4.0.1
+        version: 2.1.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.4.0.1
+        version: 2.1.4
 - !ruby/object:Gem::Dependency
-  name: recursive-open-struct
+  name: paru
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.1
+        version: 0.4.0.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.1
+        version: 0.4.0.1
 description: 
 email: jumanjiman@gmail.com
 executables:
@@ -174,6 +174,10 @@ files:
 - schemas/v1.0.1/component.yaml
 - schemas/v1.0.1/config.yaml
 - schemas/v1.0.1/standard.yaml
+- schemas/v1.0.2/certification.yaml
+- schemas/v1.0.2/component.yaml
+- schemas/v1.0.2/config.yaml
+- schemas/v1.0.2/standard.yaml
 - templates/ssp.erb
 homepage: https://github.com/jumanjiman/octool
 licenses: