Add OSCAL Component Definitions as a release artifact

[jpower432]

Share the context

Utilities were added to the content repository to create OSCAL Component definitions from the compliance data stored in YAML.
This allows user/devs to create OSCAL Component Definitions for products on an as-needed basis with the profiles and catalogs that exist in the trestle workspace under shared/references/oscal.

Description of problem:

In order to get component definitions from this repository, a user would have to clone the repository and create it through the utilities.

Problems with this:

• Consistency: OSCAL Component Definition would have different UUID when generated from the same commit.
• Ease of Use: Steps including setting up a development environment are required to generate a component definition
• Traceability: It can be difficult to associated the Component Definition with a release or commit because they are regenerated with each run (related to Consistency)

Proposed change:

Choose products and available profile combinations to generate OSCAL component definitions and add it as a release artifact so can be easily imported into an SSP or workspace (e.g. trestle import).

References:

Related to #11106
A repository I created for demonstrate the transformation - https://github.com/jpower432/oscal-authoring-demo

[Mab879]

A folder called component-definitions would be fine in the release artifacts.

[Mab879]

@marcusburghardt Is this still valid?

[marcusburghardt]

@marcusburghardt Is this still valid?

The proposal is still valid but, I am only not sure if the CaC/content would be the best option to store OSCAL component definition files. We probably need to discuss more on this. What do you think @jpower432 ?

[jpower432]

The proposal is still valid but, I am only not sure if the CaC/content would be the best option to store OSCAL component definition files. We probably need to discuss more on this. What do you think @jpower432 ?

I agree. Perhaps we could explore if it makes more sense to store and distribute the OSCAL Component Definitions from one of the OSCAL repositories in the CaC org.

@Mab879 @marcusburghardt Would it be preferable to move this topic to a GitHub Discussion or keep this issue open to continue the dicussion?

[Mab879]

I will move this issue a discussion.

[marcusburghardt]

We are actively working in initiatives to generate OSCAL content based on CaC content and at this point there is already a working structure for OSCAL content transformed using trestle-bot in https://github.com/complytime/oscal-content . It would be great to move this repository under the ComplianceAsCode organization so we can enable automation to populate it based on CaC/content.

@Mab879 do you have any concern or objection on moving oscal-content repository from ComplyTime organization to ComplianceAsCode organization?

FYI @ggbecker @huiwangredhat

[Mab879]

This should be fine. I'm happy to work with you on CI and the limits we have there.

[marcusburghardt]

I believe the first step would be to centralize the OSCAL content (by the proposal in my previous comment). From that point we can better assess how to release artifacts.