opencontrol-linter 0.1

data/vendor/schemas/CONTRIBUTING.md

@@ -0,0 +1,37 @@
+## Welcome!
+
+We're so glad you're thinking about contributing to an 18F open source project! If you're unsure about anything, just ask -- or submit the issue or pull request anyway. The worst that can happen is you'll be politely asked to change something. We love all friendly contributions.
+
+We want to ensure a welcoming environment for all of our projects. Our staff follow the [18F Code of Conduct](https://github.com/18F/code-of-conduct/blob/master/code-of-conduct.md) and all contributors should do the same.
+
+We encourage you to read this project's CONTRIBUTING policy (you are here), its [LICENSE](LICENSE.md), and its [README](README.md).
+
+If you have any questions or want to read more, check out the [18F Open Source Policy GitHub repository](https://github.com/18f/open-source-policy), or just [shoot us an email](mailto:18f@gsa.gov).
+
+## Public domain
+
+This project is in the public domain within the United States, and
+copyright and related rights in the work worldwide are waived through
+the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/).
+
+All contributions to this project will be released under the CC0
+dedication. By submitting a pull request, you are agreeing to comply
+with this waiver of copyright interest.
+
+## Versioning
+
+This project abides by [Semantic Versioning](http://semver.org/). [The Kwalify file](opencontrol-component-kwalify-schema.yaml) will be the source of truth for any given version. Examples of what would constitute each type of version bump are below.
+
+### Major
+
+* New required field/attribute added
+* Structure of a field/attribute changes
+
+### Minor
+
+* Non-required attribute/field added
+* Attribute/field deprecated
+
+### Patch
+
+(We don't anticipate bumping the patch version.)

data/vendor/schemas/README.md

@@ -0,0 +1,175 @@
+# Schemas
+
+YAML schema, examples, and validators for OpenControl format. You can find the formal definitions and learn about how to do validation in the [`kwalify/`](kwalify/) folder. The examples from the Glorious (Fake) Nation of Freedonia are the complete standalone example targeted at OpenControl beginners, so we recommend looking at those first.
+
+## Full project examples
+
+* [Freedonia](https://github.com/opencontrol/freedonia-compliance#readme)
+* [cloud.gov](https://github.com/18F/cg-compliance) ([GitBook](https://compliance.cloud.gov/) [rendered with Compliance Masonry](https://github.com/opencontrol/compliance-masonry#creating-gitbook-documentation))
+* [Environmental Protection Agency (EPA) eManifest/eRegs Notice and Comment](https://github.com/18F/epa-notice)
+* [CALC](https://github.com/18F/calc)
+* [Docker Datacenter example](https://github.com/docker/compliance/tree/master/examples/opencontrol/DockerEE-Moderate-ATO)
+
+## Components
+
+Components represent individual parts of an application or organizational policy that deal with specific security requirements. For example, in the [AWS compliance documentation](https://github.com/opencontrol/aws-compliance) the [EC2](https://github.com/opencontrol/aws-compliance/blob/master/IAM/component.yaml) component deals with access control and identity management security requirements. In the [Cloud Foundry compliance documentation](https://github.com/opencontrol/cf-compliance), the [UAA](https://github.com/opencontrol/cf-compliance/blob/master/UAA/component.yaml) the [Cloud Controller](https://github.com/opencontrol/cf-compliance/tree/master/CloudController) components deal with those requirements. In a straightforward Django-based application, for example, Django would be the component that deals with access control and identity management. As a developer building an SSP you most likely only deal with the component documentation.
+
+### Examples
+
+* [Amazon Web Services (AWS)](https://github.com/opencontrol/aws-compliance)
+    * [The (simplified) Freedonia version](https://github.com/opencontrol/freedonia-aws-compliance)
+* [Cloud Foundry](https://github.com/opencontrol/cf-compliance)
+* [Docker Datacenter](https://github.com/docker/ddc-opencontrol)
+
+### Structure
+
+```yaml
+name: Name of the component
+key: Key of the component (defaults to the filename if not present)
+documentation_complete: Manual check if the documentation is complete (for gap analysis)
+schema_version: 3.0.0
+references:
+  - name: Name of the reference ie. EC2 website
+    path: Relative path of local file or URL ie. diagrams/diagram-1.png
+    type: Type of reference ie. Image, URL
+  - name: Name of the reference ie. EC2 website
+    path: Relative path of local file or URL ie. diagrams/diagram-1.png
+    type: Type of reference ie. Image, URL
+verifications:
+  - key: Key of verification
+    name: Name of verification
+    path: Relative path of local file or URL ie. diagrams/diagram-1.png
+    type: Type of reference ie. Image, URL
+  - key: Key of verification
+    name: Name of verification
+    path: Relative path of local file or URL ie. diagrams/diagram-1.png
+    type: Type of reference ie. Image, URL
+satisfies:
+  - standard_key: Standard Key (NIST-800-53)
+    control_key: Control Key (CM-2)
+    narrative:
+      - key: The optional key that represents a particular section of the control. If the key is not specified, assume the string in the following text represents the entire control
+        text: The narrative text for the particular section / entire control if there is no key specified
+    implementation_statuses:
+      - Used for gap analysis, can only be one of the following:
+      - partial
+      - planned
+      - complete
+      - none
+    control_origins:
+      - shared
+      - inherited
+      - Other text representing the control origination.
+    parameters:
+     - key: "The key for a particular parameter of the specific control"
+       text: "The parameter text for a particular parameter of a specific control"
+    covered_by:
+      - verification_key: The specific verification ID that the reference links, no component or system is needed for internal references
+      - system_key: System name of the verification (can link to other systems / components)
+        component_key: System name of the verification (can link to other systems / components)
+        verification_key: The specific verification ID that the reference links to
+```
+
+### Validation
+
+```bash
+kwalify -f kwalify/component/v3.0.0.yaml examples/component_v3.0.0.yaml
+# OR
+pykwalify -s kwalify/component/v3.0.0.yaml -d examples/component_v3.0.0.yaml
+```
+
+## Standards
+
+A standard is a list composed of individual security requirements called controls.
+
+### Examples
+
+```yaml
+# nist-800-53.yaml
+standards:
+  C-2:
+    name: User Access
+    description: There is an affordance for managing access by...
+
+# PCI.yaml
+standards:
+  Regulation-6:
+    name: User Access PCI
+    description: There is an affordance for managing access by...
+```
+
+#### See also
+
+* [Freedonia FRIST](https://github.com/opencontrol/freedonia-frist)
+* [National Institute of Standards and Technology (NIST) 800-53](https://github.com/opencontrol/NIST-800-53-Standards)
+* [Payment Card Industry Data Security Standard (PCI DSS)](https://github.com/opencontrol/PCI-DSS-Certifications)
+
+## Certifications
+
+Since standards can have thousands of security requirements (aka controls), agencies like the [GSA](http://www.gsa.gov/) or organizations such as [FedRAMP](https://www.fedramp.gov) have curated a list of controls they require in order grant an IT system Authority to Operate (ATO). These are also known as "baselines". The GSA, for example, developed a baseline called [the Lightweight ATO (LATO)](https://gsablogs.gsa.gov/innovation/2014/12/10/it-security-security-in-an-agile-development-cloud-world-by-kurt-garbars/), which uses only 24 controls.
+
+### Example
+
+```yaml
+# Fisma.yaml
+standards:
+  NIST-800-53:
+    C-2:
+    C-3:
+  PCI:
+    6:
+```
+
+#### See also
+
+* [Freedonia FRIST](https://github.com/opencontrol/freedonia-frist)
+* [General Services Administration (GSA) certifications](https://github.com/18F/GSA-Certifications)
+
+## Systems
+
+The `opencontrol.yaml` file defines an application's documentation configuration settings.
+
+### Structure
+
+```yaml
+schema_version: "1.0.0" # 1.0.0 is the current opencontrol.yaml schema version
+name: Project_Name # Name of the project
+metadata:
+  description: "A description of the system"
+  maintainers:
+    - maintainer_email@email.com
+components: # A list of paths to components written in the opencontrol format for more information view: https://github.com/opencontrol/schemas
+  - ./component-1
+certifications: # An optional list of certifications for more information visit: https://github.com/opencontrol/schemas
+  - ./cert-1.yaml
+standards: # An optional list of standards for more information visit: https://github.com/opencontrol/schemas
+  - ./standard-1.yaml
+dependencies:
+  certifications: # An optional list of certifications stored remotely
+    - url: https://github.com/18F/GSA-Certifications
+      revision: master
+  systems:  # An optional list of repos that contain an opencontrol.yaml stored remotely
+    - url: https://github.com/18F/cg-compliance
+      revision: master
+  standards:   # An optional list of remote repos containing standards info that contain an opencontrol.yaml
+    - url: https://github.com/opencontrol/NIST-800-53-Standards
+      revision: master
+```
+
+For version control systems, a option key `contextdir` can be specified to handle multiple opencontrol content directories in a single repository.
+For example:
+
+```
+dependencies:
+    - url: https://github.com/organization/repository
+      contextdir: subdirectory_in_repository
+      revision: branch
+```
+
+### Validation
+
+```bash
+kwalify -f kwalify/opencontrol/v1.0.0.yaml examples/opencontrol_v1.0.0.yaml
+# OR
+pykwalify -s kwalify/opencontrol/v1.0.0.yaml -d examples/opencontrol_v1.0.0.yaml
+```

data/vendor/schemas/examples/component_v3.0.0.yaml

@@ -0,0 +1,70 @@
+documentation_complete: false
+name: Amazon Elastic Compute Cloud
+references:
+- name: Reference
+  path: http://VerificationURL.com
+satisfies:
+- control_key: CM-2
+  covered_by:
+  - verification_key: EC2_Verification_1
+  - component_key: UAA
+    system_key: CloudFoundry
+    verification_key: UAA_Verification_1
+  implementation_status: partial
+  control_origin: shared
+  narrative:
+    - key: "a"
+      text: "Justification in narrative form A for CM-2"
+    - key: "b"
+      text: "Justification in narrative form B for CM-2"
+  standard_key: NIST-800-53
+- control_key: 1.1
+  covered_by:
+  - verification_key: EC2_Verification_1
+  - component_key: UAA
+    system_key: CloudFoundry
+    verification_key: UAA_Verification_1
+  implementation_status: partial
+  control_origin: inherited
+  parameters:
+    - key: "a"
+      text: "Parameter A for 1.1"
+    - key: "b"
+      text: "Parameter B for 1.1"
+  narrative:
+    - key: "a"
+      text: "Justification in narrative form A for 1.1"
+    - key: "b"
+      text: "Justification in narrative form B for 1.1"
+  standard_key: PCI-DSS-MAY-2015
+- control_key: 1.1.1
+  covered_by: []
+  implementation_status: partial
+  control_origin: inherited
+  narrative:
+    - key: "a"
+      text: "Justification in narrative form A for 1.1.1"
+    - key: "b"
+      text: "Justification in narrative form B for 1.1.1"
+  parameters:
+    - key: "a"
+      text: "Parameter A for 1.1.1"
+    - key: "b"
+      text: "Parameter B for 1.1.1"
+  standard_key: PCI-DSS-MAY-2015
+- control_key: 2.1
+  covered_by: []
+  implementation_status: partial
+  control_origin: inherited
+  narrative:
+    - text: "Justification in narrative form for 2.1"
+  standard_key: PCI-DSS-MAY-2015
+responsible_role: "AWS Staff"
+schema_version: 3.0.0
+verifications:
+- key: EC2_Verification_2
+  name: EC2 Governor 2
+  path: artifact-ec2-1.png
+- key: EC2_Verification_1
+  name: EC2 Verification 1
+  path: http://VerificationURL.com

data/vendor/schemas/examples/component_v3.1.0.yaml

@@ -0,0 +1,81 @@
+documentation_complete: false
+name: Amazon Elastic Compute Cloud
+references:
+  - name: Reference
+    path: http://VerificationURL.com
+    type: URL
+satisfies:
+  - control_key: CM-2
+    covered_by:
+      - verification_key: EC2_Verification_1
+      - component_key: UAA
+        system_key: CloudFoundry
+        verification_key: UAA_Verification_1
+    implementation_statuses:
+      - partial
+      - planned
+    control_origins:
+      - shared
+      - inherited
+    references:
+      - name: Reference2
+        path: http://VerificationURL2.com
+        type: URL
+    narrative:
+      - key: "a"
+        text: "Justification in narrative form A for CM-2"
+      - key: "b"
+        text: "Justification in narrative form B for CM-2"
+    standard_key: NIST-800-53
+  - control_key: 1.1
+    covered_by:
+      - verification_key: EC2_Verification_1
+      - component_key: UAA
+        system_key: CloudFoundry
+        verification_key: UAA_Verification_1
+    implementation_status: partial
+    control_origin: inherited
+    parameters:
+      - key: "a"
+        text: "Parameter A for 1.1"
+      - key: "b"
+        text: "Parameter B for 1.1"
+    narrative:
+      - key: "a"
+        text: "Justification in narrative form A for 1.1"
+      - key: "b"
+        text: "Justification in narrative form B for 1.1"
+    standard_key: PCI-DSS-MAY-2015
+  - control_key: 1.1.1
+    covered_by: []
+    implementation_status: partial
+    control_origin: inherited
+    narrative:
+      - key: "a"
+        text: "Justification in narrative form A for 1.1.1"
+      - key: "b"
+        text: "Justification in narrative form B for 1.1.1"
+    parameters:
+      - key: "a"
+        text: "Parameter A for 1.1.1"
+      - key: "b"
+        text: "Parameter B for 1.1.1"
+    standard_key: PCI-DSS-MAY-2015
+  - control_key: 2.1
+    covered_by: []
+    implementation_status: partial
+    control_origin: inherited
+    narrative:
+      - text: "Justification in narrative form for 2.1"
+    standard_key: PCI-DSS-MAY-2015
+responsible_role: "AWS Staff"
+schema_version: 3.0.0
+verifications:
+  - key: EC2_Verification_2
+    name: EC2 Governor 2
+    path: artifact-ec2-1.png
+    type: Image
+  - key: EC2_Verification_1
+    name: EC2 Verification 1
+    path: http://VerificationURL.com
+    type: URL

data/vendor/schemas/examples/opencontrol_v1.0.0.yaml

@@ -0,0 +1,22 @@
+schema_version: "1.0.0" # 1.0.0 is the current opencontrol.yaml schema version
+name: Project_Name # Name of the project
+metadata:
+  description: "A description of the system"
+  maintainers:
+    - maintainer_email@email.com
+components: # A list of paths to components written in the opencontrol format for more information view: https://github.com/opencontrol/schemas
+  - ./component-1
+certifications: # An optional list of certifications for more information visit: https://github.com/opencontrol/schemas
+  - ./cert-1.yaml
+standards: # An optional list of standards for more information visit: https://github.com/opencontrol/schemas
+  - ./standard-1.yaml
+dependencies:
+  certifications: # An optional list of certifications stored remotely
+    - url: https://github.com/18F/GSA-Certifications
+      revision: master
+  systems:  # An optional list of repos that contain an opencontrol.yaml stored remotely
+    - url: https://github.com/18F/cg-compliance
+      revision: master
+  standards:   # An optional list of remote repos containing standards info that contain an opencontrol.yaml
+    - url: https://github.com/opencontrol/NIST-800-53-Standards
+      revision: master

data/vendor/schemas/kwalify/README.md

@@ -0,0 +1,31 @@
+# Kwalify schema files
+
+The files in the subdirectories of this folder are organized by the type of file, and then named by the version of that file's schema. These YAML files are in the [Kwalify](http://www.kuwata-lab.com/kwalify/) format—see that site for documentation.
+
+## Validation
+
+To validate your OpenControl files, do the following from your project root directory:
+
+1. Install Python (2 or 3).
+1. Ignore the `schemas/` directory from version control (e.g. `.gitignore`).
+1. Clone (or update) the [schemas](https://github.com/opencontrol/schemas) repository.
+
+    ```bash
+    git clone https://github.com/opencontrol/schemas.git
+    # or
+    cd schemas && git pull origin master && cd ..
+    ```
+
+1. Install the dependencies.
+
+    ```bash
+    pip install -r pip install -r schemas/kwalify/requirements.txt
+    ```
+
+1. Run the tests.
+
+    ```bash
+    pytest
+    ```
+
+For a more advanced setup, see [18F's cloud.gov compliance repository](https://github.com/18F/cg-compliance) as an example of using these tests as part of continuous integration.

data/vendor/schemas/kwalify/certification/v1.0.0.yaml

@@ -0,0 +1,12 @@
+type: map
+mapping:
+  standards:
+    type: map
+    mapping:
+      =:
+        type: map
+        mapping:
+          =:
+            type: any
+  name:
+    type: str

data/vendor/schemas/kwalify/component/test_data_validity.py

@@ -0,0 +1,25 @@
+from glob import iglob
+from pykwalify.core import Core
+import yaml
+
+def get_schema(version):
+    path = 'schemas/kwalify/component/v{}.yaml'.format(version)
+    contents = open(path)
+    return yaml.load(contents)
+
+def create_validator(source_data):
+    version = source_data.get('schema_version', '3.1.0')
+    schema = get_schema(version)
+    validator = Core(source_data={}, schema_data=schema)
+    validator.source = source_data
+    return validator
+
+def test_data_valid():
+    """ Check that the content of data fits with masonry schema v2 """
+    for component_file in iglob('*/component.yaml'):
+        source_data = yaml.load(open(component_file))
+        validator = create_validator(source_data)
+        try:
+            validator.validate(raise_exception=True)
+        except:
+            assert False, "Error found in: {0}".format(component_file)