introduce reference warning

features/fedramp_extensions.feature

@@ -152,6 +152,7 @@ Examples:
   | privilege-level |
   | prop-response-point-has-cardinality-one |
   | resource-has-base64-or-rlink |
+  | resource-has-link-reference |
   | resource-has-title |
   | responsible-party-is-person |
   | responsible-party-prepared-by |
@@ -447,6 +448,8 @@ Examples:
   | privilege-level-PASS.yaml |
   | resource-has-base64-or-rlink-FAIL.yaml |
   | resource-has-base64-or-rlink-PASS.yaml |
+  | resource-has-link-reference-FAIL.yaml |
+  | resource-has-link-reference-PASS.yaml |
   | resource-has-title-FAIL.yaml |
   | resource-has-title-PASS.yaml |
   | response-point-FAIL.yaml |

src/validations/constraints/content/ssp-resource-has-link-reference-INVALID.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <back-matter>
+    <resource uuid="eeeeeeee-0000-4000-9000-00000000000e">
+      <prop name="type" value="unsupported-type" ns="http://fedramp.gov/ns/oscal"/>
+    </resource>
+  </back-matter>
+</system-security-plan>

src/validations/constraints/content/ssp-resource-has-link-reference-VALID.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+        <link href="#eeeeeeee-0000-4000-9000-00000000000e"/>
+  </metadata>
+  <back-matter>  
+    <resource uuid="eeeeeeee-0000-4000-9000-00000000000e">
+      <prop name="type" value="unsupported-type" ns="http://fedramp.gov/ns/oscal"/>
+    </resource>
+  </back-matter>
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -158,6 +158,27 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>
                 <message>A FedRAMP SSP MUST have each component describing leveraged systems, interconnections, or authorized services reference at least one user with an authorized privilege and function performed via the "privilege-uuid" property.</message>
             </expect>
+            <index name="index-resource-uuids" target="map:merge(back-matter/resource ! map:entry(@uuid,.))?*">
+                <formal-name>Resource UUIDs in Back Matter</formal-name>
+                <description>This index includes all UUIDs of resources defined in the back-matter.</description>
+                <key-field target="@uuid"/>
+            </index>
+            <index name="index-link-refs" target="map:merge(.//link ! map:entry(substring-after(@href,'#'),.))?*">
+                <formal-name>Links Referencing Back Matter</formal-name>
+                <description>This index includes all links that reference back-matter resources.</description>
+                <key-field target="substring-after(@href,'#')"/>
+            </index>
+            <index-has-key id="resource-has-link-reference" 
+                target="back-matter/resource"
+                name="index-link-refs"
+                level="WARNING">
+                <formal-name>Resource Has Link Reference</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" 
+                    name="help-url" 
+                    value="https://automate.fedramp.gov/documentation/general-concepts/oscal-citations-and-attachments/#citation-and-attachment-details"/>
+                <key-field target="@uuid"/>
+                <message>A resource in the back-matter SHOULD be referenced by at least one link in the document. Resource with UUID '{@uuid}' is not referenced.</message>
+            </index-has-key>
         </constraints>
 
     </context>
@@ -210,6 +231,7 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/oscal-citations-and-attachments/#citation-and-attachment-details"/>
                 <message>Every supporting artifact found in a citation SHOULD have a title.</message>
             </expect>
+
         </constraints>
     </context>
 

src/validations/constraints/unit-tests/resource-has-link-reference-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for resource-has-link-reference
+  description: >-
+    This test case validates the behavior of constraint
+    resource-has-link-reference
+  content: ../content/ssp-resource-has-link-reference-INVALID.xml
+  expectations:
+    - constraint-id: resource-has-link-reference
+      result: fail

src/validations/constraints/unit-tests/resource-has-link-reference-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for resource-has-link-reference
+  description: >-
+    This test case validates the behavior of constraint
+    resource-has-link-reference
+  content:  ../content/ssp-resource-has-link-reference-VALID.xml
+  expectations:
+    - constraint-id: resource-has-link-reference
+      result: pass