Skip to content
This repository has been archived by the owner on May 14, 2018. It is now read-only.

Clarify confidential-survey use case #27

Closed
pburkholder opened this issue Jun 22, 2016 · 2 comments
Closed

Clarify confidential-survey use case #27

pburkholder opened this issue Jun 22, 2016 · 2 comments
Labels
question

Comments

@pburkholder
Copy link
Member

The README.md references https://github.com/18F/cg-application-ssp-example, which in turn has the file, https://github.com/18F/cg-application-ssp-example/blob/master/ExampleApplicationComponent/component.yaml, which reads:

documentation_complete: false
name: Application Component Example
verifications:
  hakiri:
    name: Hakiri Results
    path: https://hakiri.io/github/18F/confidential-survey/develop
    type: URL
  gemnasium:
    name: Gemnasium Results
    path: https://gemnasium.com/18F/confidential-survey
    type: URL
  code_climate:
    name: Code Climate Results
    path: https://codeclimate.com/github/18F/confidential-survey
    type: URL
satisfies:
  NIST-800-53:
    SA-11 (1):
      narrative: |
        Code Climate is a code analysis tool that combines the results of multiple static analysis tools. The Confidential Survey application uses the Hakiri and Gemnasium engines in Code Climate to verify that the code is secure and has no outdated dependencies.
      references:
      - verification: code_climate
      - verification: gemnasium
      - verification: hakiri

However, the actual confidential-survey application, https://github.com/18F/confidential-survey, doesn't have the above code or anything seemingly related to opencontrol other than https://github.com/18F/confidential-survey/blob/develop/system-security-plan.yml

Which leads to a couple of questions:

  • Does the snippet above come from any real, working application or is it an example of goal to someday implement?
  • Does the system-security-plan.yml in confidential-survey play into this compliance framework?

Thanks, Peter
@afeld afeld added the question label Jun 23, 2016
@afeld
Copy link
Contributor

afeld commented Jun 23, 2016

the actual confidential-survey application, https://github.com/18F/confidential-survey, doesn't have the above code or anything seemingly related to opencontrol

Right...Confidential Survey's Masonry files were created before we could split Masonry files across repositories, so it had to be done in a branch off of the cloud.gov compliance information:

cloud-gov/compliance#33

Does the snippet above come from any real, working application or is it an example of goal to someday implement?

Confidential Survey is a real application, but I believe that example component.yml is contrived/aspirational. Confidential Survey's Masonry YAML files were also made for an old version of Masonry, so they aren't a great example any more. See #23.

@harrisj Does that all sound right?

We don't actually have a real application with up-to-date Masonry files that can demonstrate a full example, though there might be a few 18F projects that need ATOs coming down the pipe soon who can try it out.

Does the system-security-plan.yml in confidential-survey play into this compliance framework?

Not in its current form, at least. system-security-plan.yml was the precursor to Masonry, so possible it has been superseded, but we may need to move some of those fields in.

@afeld afeld closed this as completed Jun 23, 2016
@afeld
Copy link
Contributor

afeld commented Jun 23, 2016

Does the system-security-plan.yml in confidential-survey play into this compliance framework?

See also: opencontrol/compliance-masonry#1

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@afeld @pburkholder