Version 0.9.3.1
v0.9.3.1 (March 23, 2021)
Includes release v0.9.3.0rc1 changes.
Questions now support "actions" to dynamically update project and system data stored outside of questionnaires.
New, better install process written in Python.
Include all required static files siteapp/static
directory as part of GovReady-Q distribution.
Feature changes
- Re-assign system's baseline to different baseline; dynamically batch add and removes controls to change a system's existing baseline to a different baseline (e.g. from moderate to low)
- Enable questionnaire question to process question system actions to set system baseline (e.g., selected controls).
- Enable questionnaire question to process question system actions to set project title and system name.
- Support "actions" functionality associated with question answers.
- Support assigning "roles" to elements.
- Use new "actions" and "roles" functionality to enable question answers to add/delete components from selected components of a system.
- Add and delete controls from a system's selected controls.
UI changes
- Rename "App Library" to "Template Library" in nav bar.
- Add "Project Home" button to action button ribbon.
- Top of action button ribbon button order now: "Project Home", "Controls", "Components".
- Update 3-column statement layout's "edit" into a glyphicon pencil pulled all the way right, remove extra lines and other small changes.
- Update 3-column statement layout to include column headings.
- Conditionally display remarks in component library using HTML details tag.
- Style searchbox on component library and component library detail page to use search glyphicon to indicate search and remove glyphicon within search box to clear search results.
- Separate user home page (e.g., "/") page from
/project
page to provide a better first use and login experience. - Display number of projects and portfolios on the new user home page.
- Add delete trash icon to selected control list for users with permission to change system. Include a pop-up confirmation dialog.
- Add popup conformation dialog box for deleting components from system's selected components.
- Add autocomplete select box for adding controls to systems's selected controls page.
Developer changes
- Add processing for question actions targeted at system to handle
system/assign_baseline/<value>
to assign baseline set of controls to a system. - Add processing for question actions targeted at system to handle
system/update_system_and_project_name/<value>
to set system name and project title. - Add "actions" to Compliance App questions (e.g., tasks) that are conditionally performed based on question answer(s).
- Add "roles" to identify, organize, and process system elements (e.g., components)
- New, better install process written in Python.
- Include all required static files pre-collected in
static_root
directory as part of GovReady-Q distribution. - Replace shell script install script
install-govready-q.sh
with better Python install scriptinstall.py
. - Now including all static files as part of distribution.
- Adds Snyk Security Scans to CircleCi scanned items include python requirements files requirements.txt, requirements_util.txt, and requirements_mysql.txt.
The add action capability is supported by new actions
item within each defined question.
Actions take the form:
actions:
- value: <answer_value>
action: <object>/<verb>/<filter>
comment: <comment>
Example actions:
actions:
- value: adfs
action: element/add_role/ADFS
comment: Add elements assigned AFDS to selected components
- value: adfs
action: element/del_role/Azure Active Directory
comment: Delete elements assigned Azure Active Directory from selected components
The following actions are currently supported:
system/assign_baseline/<value>
- Automatically sets the system baseline controls to the selected impactsystem/update_system_and_project_name/<value>
- Automatically sets the system, project nameselement/add_role/<role_value>
- Automatically add elements to the selected components of a systemelement/del_role/<role_value>
- Automatically delete elements from the selected components of a system
- Actions are (currently) performed as part of the processing question answer in guidedmodules, before going to next question.
- Actions should be idempotent.
- Actions almost never re-direct user out of the questionnaire.
- Actions need to be reversible. When a user changes an answer previous action should be undone or modified accordingly.
We connect actions defined in the portable compliance app to GovReady-Q instance data via "roles" dynamically assigned to target objects.
In the initially supported use case, Elements can be assiged Roles via new ElementRole
model.
The new ElementRole
model assigns roles to system elements via a Many-to-Many relationship.
ElementRoles and associating Elements to roles is currently be done in Django admin interface.
Roles provide a level of abstraction between an action defined in compliance app and actual objects dynamically assign that role.
ElementRoles also enables categorizing, organizing, filtering, and creating checks around Elements. An example roles might be "internal-only" to make allow checks to be added to prevent accidental disclore.
ElementsRoles differ from more generic tags because the setting of roles should be limited to privileged users and have specific organizational purpose.
Current limitations:
- No tests.
- ElementRoles and Element assignment to roles must be done in Djang admin interface.
- Adding component is done through questionnaire, but if component deleted question does not yet know or update. Need to be able to clear question.
- No handling yet of marking a question unanswered.
- No logging yet of action result to question history.
- Code needs optimization and DRY-ness.
- Roles need to be created manually in the GovReady-Q instance for a compliance app using actions with roles. In the future, when a compliance app is loaded the roles could be created automically. An privileged would still need to assign local elements to roles.
UI changes
- Provide messaging feedback when answering a question triggers an action.
Data changes
- Added speedysp to q-files' govready-q-files-startpack to demonstrate how fast an SSP can be made.
Install changes
- Rename installed sample project to clearly indicate project is sample data.
Bug fixes
- Properly populate previously blank "Start project" modal that appeared on component library, component library detail, and some other pages.