Merge branch '878-link-remapper-method-component-defn' of https://git…

…hub.com/defenseunicorns/lula into 878-link-remapper-method-component-defn
defenseunicorns · Jan 24, 2025 · 6d4a4ad · 6d4a4ad
2 parents ff78d2a + f687f4e
commit 6d4a4ad
Show file tree

Hide file tree

Showing 10 changed files with 63 additions and 46 deletions.
diff --git a/.github/actions/golang/action.yaml b/.github/actions/golang/action.yaml
@@ -4,7 +4,7 @@ description: "Setup Go binary and caching"
 runs:
   using: composite
   steps:
-    - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
       with:
         go-version-file: './go.mod'
         cache: true
diff --git a/.github/actions/install-tools/action.yaml b/.github/actions/install-tools/action.yaml
@@ -5,4 +5,4 @@ runs:
   using: composite
   steps:
 
-    - uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
+    - uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
diff --git a/.github/workflows/scan-codeql.yaml b/.github/workflows/scan-codeql.yaml
@@ -42,7 +42,7 @@ jobs:
         uses: ./.github/actions/golang
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        uses: github/codeql-action/init@ee117c905ab18f32fa0f66c2fe40ecc8013f3e04 # v3.28.4
         with:
           languages: ${{ matrix.language }}
           # config-file: ./.github/codeql.yaml #Uncomment once config file is needed.
@@ -52,7 +52,7 @@ jobs:
 
       - name: Perform CodeQL Analysis
         id: scan
-        uses: github/codeql-action/analyze@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        uses: github/codeql-action/analyze@ee117c905ab18f32fa0f66c2fe40ecc8013f3e04 # v3.28.4
         with:
           category: "/language:${{matrix.language}}"
 
diff --git a/.github/workflows/scan-gosec.yaml b/.github/workflows/scan-gosec.yaml
@@ -42,6 +42,6 @@ jobs:
           retention-days: 5
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        uses: github/codeql-action/upload-sarif@ee117c905ab18f32fa0f66c2fe40ecc8013f3e04 # v3.28.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/scan-kics.yaml b/.github/workflows/scan-kics.yaml
@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: run kics Scan
-        uses: checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3
+        uses: checkmarx/kics-github-action@5a6152ef88416063435cebadfec9de28bcfd041d # v2.1.4
         with:
           path: 'demo,src'
           output_formats: 'sarif'
@@ -39,7 +39,7 @@ jobs:
           retention-days: 5
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        uses: github/codeql-action/upload-sarif@ee117c905ab18f32fa0f66c2fe40ecc8013f3e04 # v3.28.4
         with:
           sarif_file: results.sarif
 

diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -46,6 +46,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        uses: github/codeql-action/upload-sarif@ee117c905ab18f32fa0f66c2fe40ecc8013f3e04 # v3.28.4
         with:
           sarif_file: results.sarif
diff --git a/src/pkg/common/composition/composition.go b/src/pkg/common/composition/composition.go
@@ -11,12 +11,13 @@ import (
 	"github.com/defenseunicorns/go-oscal/src/pkg/uuid"
 	"github.com/defenseunicorns/go-oscal/src/pkg/versioning"
 	oscalTypes "github.com/defenseunicorns/go-oscal/src/types/oscal-1-1-3"
+	k8syaml "k8s.io/apimachinery/pkg/util/yaml"
+
 	"github.com/defenseunicorns/lula/src/internal/template"
 	"github.com/defenseunicorns/lula/src/pkg/common"
 	"github.com/defenseunicorns/lula/src/pkg/common/network"
 	"github.com/defenseunicorns/lula/src/pkg/common/oscal"
 	"github.com/defenseunicorns/lula/src/pkg/message"
-	k8syaml "k8s.io/apimachinery/pkg/util/yaml"
 )
 
 type RenderedContent string
@@ -124,7 +125,7 @@ func (c *Composer) ComposeComponentDefinitions(ctx context.Context, compDef *osc
 				}
 
 				// Merge the component definitions
-				compDef, err = oscal.MergeComponentDefinitions(compDef, importDef)
+				err = oscal.MergeComponentDefinitions(compDef, importDef)
 				if err != nil {
 					return err
 				}

diff --git a/src/pkg/common/oscal/complete-schema.go b/src/pkg/common/oscal/complete-schema.go
@@ -216,12 +216,10 @@ func MergeOscalModels(existingModel *oscalTypes.OscalModels, newModel *oscalType
 			return newModel, nil
 		}
 
-		merged, err := MergeComponentDefinitions(existingModel.ComponentDefinition, newModel.ComponentDefinition)
+		err := MergeComponentDefinitions(existingModel.ComponentDefinition, newModel.ComponentDefinition)
 		if err != nil {
 			return nil, err
 		}
-		// Re-assign after processing errors
-		existingModel.ComponentDefinition = merged
 	}
 
 	// Assessment Results

diff --git a/src/pkg/common/oscal/component.go b/src/pkg/common/oscal/component.go
@@ -93,11 +93,11 @@ func (c *ComponentDefinition) HandleExisting(path string) error {
 		if err != nil {
 			return err
 		}
-		model, err := MergeComponentDefinitions(compDef.Model, c.Model)
+		err = MergeComponentDefinitions(compDef.Model, c.Model)
 		if err != nil {
 			return err
 		}
-		c.Model = model
+		c.Model = compDef.Model
 	}
 	return nil
 }
@@ -176,7 +176,7 @@ func MergeVariadicComponentDefinition(compDefs ...*oscalTypes.ComponentDefinitio
 		if mergedCompDef == nil {
 			mergedCompDef = compDef
 		} else {
-			mergedCompDef, err = MergeComponentDefinitions(mergedCompDef, compDef)
+			err = MergeComponentDefinitions(mergedCompDef, compDef)
 			if err != nil {
 				return nil, err
 			}
@@ -186,26 +186,51 @@ func MergeVariadicComponentDefinition(compDefs ...*oscalTypes.ComponentDefinitio
 }
 
 // This function should perform a merge of two component-definitions where maintaining the original component-definition is the primary concern.
-func MergeComponentDefinitions(original *oscalTypes.ComponentDefinition, latest *oscalTypes.ComponentDefinition) (*oscalTypes.ComponentDefinition, error) {
+func MergeComponentDefinitions(original *oscalTypes.ComponentDefinition, latest *oscalTypes.ComponentDefinition) error {
+	// Nil check on original and latest
+	if original == nil {
+		return fmt.Errorf("original component-definition is nil")
+	}
 
-	originalMap := make(map[string]oscalTypes.DefinedComponent)
+	if latest == nil {
+		return fmt.Errorf("latest component-definition is nil")
+	}
 
-	if original.Components == nil {
-		return original, fmt.Errorf("original component-definition is nil")
+	// merge the component-definition.components
+	if original.Components != nil && latest.Components != nil {
+		original.Components = mergeDefinedComponents(original.Components, latest.Components)
+	} else if original.Components == nil && latest.Components != nil {
+		original.Components = latest.Components
 	}
 
-	if latest.Components == nil {
-		return original, fmt.Errorf("latest component-definition is nil")
+	// merge the component-definition.back-matter resources
+	if original.BackMatter != nil && latest.BackMatter != nil {
+		original.BackMatter = &oscalTypes.BackMatter{
+			Resources: mergeResources(original.BackMatter.Resources, latest.BackMatter.Resources),
+		}
+	} else if original.BackMatter == nil && latest.BackMatter != nil {
+		original.BackMatter = latest.BackMatter
 	}
 
-	for _, component := range *original.Components {
-		originalMap[component.Title] = component
+	// Artifact will be modified - need to update the timestamp and UUID
+	original.Metadata.LastModified = time.Now()
+	original.UUID = uuid.NewUUID()
+
+	return nil
+
+}
+
+func mergeDefinedComponents(original *[]oscalTypes.DefinedComponent, latest *[]oscalTypes.DefinedComponent) *[]oscalTypes.DefinedComponent {
+	originalMap := make(map[string]oscalTypes.DefinedComponent)
+
+	for _, component := range *original {
+		originalMap[component.UUID] = component
 	}
 
 	latestMap := make(map[string]oscalTypes.DefinedComponent)
 
-	for _, component := range *latest.Components {
-		latestMap[component.Title] = component
+	for _, component := range *latest {
+		latestMap[component.UUID] = component
 	}
 
 	tempItems := make([]oscalTypes.DefinedComponent, 0)
@@ -225,23 +250,7 @@ func MergeComponentDefinitions(original *oscalTypes.ComponentDefinition, latest
 		tempItems = append(tempItems, item)
 	}
 
-	// merge the back-matter resources
-	if original.BackMatter != nil && latest.BackMatter != nil {
-		original.BackMatter = &oscalTypes.BackMatter{
-			Resources: mergeResources(original.BackMatter.Resources, latest.BackMatter.Resources),
-		}
-	} else if original.BackMatter == nil && latest.BackMatter != nil {
-		original.BackMatter = latest.BackMatter
-	}
-
-	original.Components = &tempItems
-	original.Metadata.LastModified = time.Now()
-
-	// Artifact will be modified - need to update the UUID
-	original.UUID = uuid.NewUUID()
-
-	return original, nil
-
+	return &tempItems
 }
 
 func mergeComponents(original *oscalTypes.DefinedComponent, latest *oscalTypes.DefinedComponent) *oscalTypes.DefinedComponent {

diff --git a/src/pkg/common/oscal/component_test.go b/src/pkg/common/oscal/component_test.go
@@ -249,6 +249,7 @@ func TestMergeComponentDefinitions(t *testing.T) {
 		expectedImplementedRequirements       int
 		expectedTargetControlImplementations  int
 		expectedTargetImplementedRequirements int
+		uniqueComponent                       bool
 		wantErr                               bool
 	}{
 		{
@@ -262,6 +263,7 @@ func TestMergeComponentDefinitions(t *testing.T) {
 			expectedImplementedRequirements:       4,
 			expectedTargetControlImplementations:  1,
 			expectedTargetImplementedRequirements: 4,
+			uniqueComponent:                       false,
 			wantErr:                               false,
 		},
 		{
@@ -275,6 +277,7 @@ func TestMergeComponentDefinitions(t *testing.T) {
 			expectedImplementedRequirements:       6,
 			expectedTargetControlImplementations:  1,
 			expectedTargetImplementedRequirements: 6,
+			uniqueComponent:                       false,
 			wantErr:                               false,
 		},
 		{
@@ -288,6 +291,7 @@ func TestMergeComponentDefinitions(t *testing.T) {
 			expectedControlImplementations:        2,
 			expectedTargetImplementedRequirements: 4,
 			expectedTargetControlImplementations:  1,
+			uniqueComponent:                       true,
 			wantErr:                               false,
 		},
 		{
@@ -322,7 +326,12 @@ func TestMergeComponentDefinitions(t *testing.T) {
 				t.Errorf("ComponentFromCatalog() generated should not be nil")
 			}
 
-			merged, err := oscal.MergeComponentDefinitions(validComponent, generated.Model)
+			// Check if component is supposed to be unique - override UUID if not
+			if !tt.uniqueComponent {
+				(*generated.Model.Components)[0].UUID = (*validComponent.Components)[0].UUID
+			}
+
+			err = oscal.MergeComponentDefinitions(validComponent, generated.Model)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("MergeComponentDefinitions() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -333,9 +342,9 @@ func TestMergeComponentDefinitions(t *testing.T) {
 			}
 
 			// Perform checks on quantities
-			components := (*merged.Components)
+			components := (*validComponent.Components)
 			if len(components) != tt.expectedComponents {
-				t.Errorf("MergeComponentDefinitions() expected %v components, got %v", tt.expectedComponents, len((*merged.Components)))
+				t.Errorf("MergeComponentDefinitions() expected %v components, got %v", tt.expectedComponents, len((*validComponent.Components)))
 			}
 			controlImplementations := make([]oscalTypes.ControlImplementationSet, 0)
 			var targetComponent oscalTypes.DefinedComponent