Skip to main content

Preferred Approach

ssp-figure-26.png

Component-based Representation
system-security-plan:
  uuid: 11111111-2222-4000-8000-000000000000

  system-implementation:
    components:
    - uuid: 11111111-2222-4000-8000-009000300100
      type: software
      title: Database Sample
      description: None
      props:
      - name: asset-type
        value: database
      - name: function
        value: see-remarks
        remarks: Briefly describe the function of the database
      - name: allows-authenticated-scan
        value: 'yes'
      - name: scan-type
        ns: http://fedramp.gov/ns/oscal
        value: database
      - name: vendor-name
        ns: http://fedramp.gov/ns/oscal
        value: Small Biz Software, LLC
      links:
      - href: '#11111111-2222-4000-8000-009000500006'
        rel: used-by
      - href: '#11111111-2222-4000-8000-009001400001'
        rel: receives
      - href: '#11111111-2222-4000-8000-009001400002'
        rel: initiates
      status:
        state: operational
      responsible-roles:
      - role-id: administrator
        party-uuids:
        - 11111111-2222-4000-8000-004000000010

    inventory-items:
    - uuid: 11111111-2222-4000-8000-011000000002
      description: Component Inventory Example
      props:
      - name: asset-id
        value: unique-asset-ID-02
      - name: ipv4-address
        value: 10.2.2.2
      - name: ipv6-address
        value: 0000:0000:0000:0000:0000:ffff:0a02:0202
      - name: mac-address
        value: 00:00:00:00:00:00
      - name: asset-type
        value: appliance
      - name: virtual
        value: 'no'
      - name: public
        value: 'no'
      - name: fqdn
        value: dns.name
      - name: uri
        value: uniform.resource.locator
      - name: netbios-name
        value: netbios-name
      - name: physical-location
        value: Physical location of Asset
      - name: allows-authenticated-scan
        value: 'no'
        remarks: If no, explain why. If yes, omit remark.
      - name: scan-type
        ns: http://fedramp.gov/ns/oscal
        value: infrastructure
      links:
      - href: '#11111111-2222-4000-8000-001000000059'
        rel: baseline
      responsible-parties:
      - role-id: asset-owner
        party-uuids:
        - 11111111-2222-4000-8000-004000000010
      - role-id: asset-administrator
        party-uuids:
        - 11111111-2222-4000-8000-004000000017
      implemented-components:
      - component-uuid: 11111111-2222-4000-8000-009000300100
        props:
        - name: asset-id
          value: unique-asset-ID-3
      remarks: 'COMMENTS: If needed, provide additional information about this inventory
        item.'

Notes:

  • If component-sample is an image of a Linux virtual machine (VM), and 10 instances of that VM are in use, there would be one (1) component assembly and ten (10) inventory-item assemblies, all referencing the same component.

Inventory Data Locations and XPath Queries

The following queries are intended to show where to find each piece of information within the system inventory template.

All Inventory

OS Infrastructure Inventory

Software and Database Inventory

Any Inventory

XPath Queries
Number of Inventory Items:
    count(/*/system-implementation/system-inventory/inventory-item)
  Number of Hardware Components:
    count(/*/system-implementation/component[@type="hardware"])
  Number of Software Components:
    count(/*/system-implementation/component[@type="software"])
  In Latest Scan?:
    /*/system-implementation/system-inventory/inventory-item[1]/prop[@name="is-scanned"]/@value

  List Inventory Items Not Scanned:
    /*/system-implementation/system-inventory/inventory-item/prop[@name="is-scanned"][@value='no']/../prop[@name='ipv4-address']
  List of Reasons Inventory Items Were Not Scanned:
    /*/system-implementation/system-inventory/inventory-item/prop[@name="is-scanned"][@value='no']/remarks/node()

Unlike most XPath 2.0 queries in this document, the following queries cannot be easily converted to XPath 1.0. If working with XPath 1.0, it may be necessary to perform each search with two separate queries. These queries will list all the IPv4 addresses for each scan type (infrastructure, web, and database), whether using the flat-file inventory approach or the component-based approach.

XPath Queries
IPv4 Address of All Inventory Items Identified for Infrastructure Scanning: 
distinct-values( (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='http://fedramp.gov/ns/oscal']='infrastructure']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/ prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal']  [string(.)='infrastructure']]) )

IPv4 Address of All Inventory Items Identified for Web Scanning:

distinct-values( (let $key:=/*/system-implementation/component[prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal']='web']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal'][string(.)='web']]))

IPv4 Address of All Inventory Items Identified for Database Scanning:

distinct-values( (let $key:=/*/system-implementation/component[prop [@name='scan-type'] [@ns='http://fedramp.gov/ns/oscal']='database']/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) | (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal'][string(.)='database']]))

IPv4 Address of All Items Where an Authenticated Scan is Possible:

distinct-values( (/*/system-implementation/system-inventory/inventory-item/prop [@name='ipv4-address'][../prop[@name="allows-authenticated-scan"][@value='yes']] ) | (let $key:=/*/system-implementation/component[prop [@name='allows-authenticated-scan'][@value='yes']]/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']))

IPv4 Address of All Items Where an Authenticated Scan is Not Possible:

distinct-values( (/*/system-implementation/system-inventory/inventory-item/prop[@name='ipv4-address'][../prop[@name="allows-authenticated-scan"][@value='no']] ) | ( let $key:=/*/system-implementation/component[prop [@name='allows-authenticated-scan'][@value='no']]/@uuid return /*/system-implementation/system-inventory/inventory-item [implemented-component/@component-uuid=$key]/prop[@name='ipv4-address']) )

Authenticated Scan Justification (if Authenticate Scan is "no"):

/*/system-implementation/system-inventory/inventory-item/prop[@name="allows-authenticated-scan"][@value="no"]/remarks/node()

OR

/*/system-implementation/component/prop[@name="allows-authenticated-scan"] [@value="no"]/remarks/node()
Back to top