Skip to content

Version 0.9.3.1

Compare
Choose a tag to compare
@gregelin gregelin released this 24 Mar 14:22
· 1614 commits to main since this release
b017098

v0.9.3.1 (March 23, 2021)

Includes release v0.9.3.0rc1 changes.

Questions now support "actions" to dynamically update project and system data stored outside of questionnaires.
New, better install process written in Python.
Include all required static files siteapp/static directory as part of GovReady-Q distribution.

Feature changes

  • Re-assign system's baseline to different baseline; dynamically batch add and removes controls to change a system's existing baseline to a different baseline (e.g. from moderate to low)
  • Enable questionnaire question to process question system actions to set system baseline (e.g., selected controls).
  • Enable questionnaire question to process question system actions to set project title and system name.
  • Support "actions" functionality associated with question answers.
  • Support assigning "roles" to elements.
  • Use new "actions" and "roles" functionality to enable question answers to add/delete components from selected components of a system.
  • Add and delete controls from a system's selected controls.

UI changes

  • Rename "App Library" to "Template Library" in nav bar.
  • Add "Project Home" button to action button ribbon.
  • Top of action button ribbon button order now: "Project Home", "Controls", "Components".
  • Update 3-column statement layout's "edit" into a glyphicon pencil pulled all the way right, remove extra lines and other small changes.
  • Update 3-column statement layout to include column headings.
  • Conditionally display remarks in component library using HTML details tag.
  • Style searchbox on component library and component library detail page to use search glyphicon to indicate search and remove glyphicon within search box to clear search results.
  • Separate user home page (e.g., "/") page from /project page to provide a better first use and login experience.
  • Display number of projects and portfolios on the new user home page.
  • Add delete trash icon to selected control list for users with permission to change system. Include a pop-up confirmation dialog.
  • Add popup conformation dialog box for deleting components from system's selected components.
  • Add autocomplete select box for adding controls to systems's selected controls page.

Developer changes

  • Add processing for question actions targeted at system to handle system/assign_baseline/<value> to assign baseline set of controls to a system.
  • Add processing for question actions targeted at system to handle system/update_system_and_project_name/<value> to set system name and project title.
  • Add "actions" to Compliance App questions (e.g., tasks) that are conditionally performed based on question answer(s).
  • Add "roles" to identify, organize, and process system elements (e.g., components)
  • New, better install process written in Python.
  • Include all required static files pre-collected in static_root directory as part of GovReady-Q distribution.
  • Replace shell script install script install-govready-q.sh with better Python install script install.py.
  • Now including all static files as part of distribution.
  • Adds Snyk Security Scans to CircleCi scanned items include python requirements files requirements.txt, requirements_util.txt, and requirements_mysql.txt.

The add action capability is supported by new actions item within each defined question.

Actions take the form:

  actions:
    - value: <answer_value>
      action: <object>/<verb>/<filter>
      comment: <comment>

Example actions:

  actions:
    - value: adfs
      action: element/add_role/ADFS
      comment: Add elements assigned AFDS to selected components
    - value: adfs
      action: element/del_role/Azure Active Directory
      comment: Delete elements assigned Azure Active Directory from selected components

The following actions are currently supported:

  1. system/assign_baseline/<value> - Automatically sets the system baseline controls to the selected impact
  2. system/update_system_and_project_name/<value> - Automatically sets the system, project names
  3. element/add_role/<role_value> - Automatically add elements to the selected components of a system
  4. element/del_role/<role_value> - Automatically delete elements from the selected components of a system
  • Actions are (currently) performed as part of the processing question answer in guidedmodules, before going to next question.
  • Actions should be idempotent.
  • Actions almost never re-direct user out of the questionnaire.
  • Actions need to be reversible. When a user changes an answer previous action should be undone or modified accordingly.

We connect actions defined in the portable compliance app to GovReady-Q instance data via "roles" dynamically assigned to target objects.
In the initially supported use case, Elements can be assiged Roles via new ElementRole model.
The new ElementRole model assigns roles to system elements via a Many-to-Many relationship.
ElementRoles and associating Elements to roles is currently be done in Django admin interface.

Roles provide a level of abstraction between an action defined in compliance app and actual objects dynamically assign that role.

ElementRoles also enables categorizing, organizing, filtering, and creating checks around Elements. An example roles might be "internal-only" to make allow checks to be added to prevent accidental disclore.

ElementsRoles differ from more generic tags because the setting of roles should be limited to privileged users and have specific organizational purpose.

Current limitations:

  • No tests.
  • ElementRoles and Element assignment to roles must be done in Djang admin interface.
  • Adding component is done through questionnaire, but if component deleted question does not yet know or update. Need to be able to clear question.
  • No handling yet of marking a question unanswered.
  • No logging yet of action result to question history.
  • Code needs optimization and DRY-ness.
  • Roles need to be created manually in the GovReady-Q instance for a compliance app using actions with roles. In the future, when a compliance app is loaded the roles could be created automically. An privileged would still need to assign local elements to roles.

UI changes

  • Provide messaging feedback when answering a question triggers an action.

Data changes

  • Added speedysp to q-files' govready-q-files-startpack to demonstrate how fast an SSP can be made.

Install changes

  • Rename installed sample project to clearly indicate project is sample data.

Bug fixes

  • Properly populate previously blank "Start project" modal that appeared on component library, component library detail, and some other pages.