Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/GoComply/oscalkit
NIST OSCAL SDK and CLI
https://github.com/GoComply/oscalkit
fedramp nist oscal
Last synced: 24 days ago
JSON representation
NIST OSCAL SDK and CLI
- Host: GitHub
- URL: https://github.com/GoComply/oscalkit
- Owner: GoComply
- License: other
- Created: 2020-08-26T11:05:32.000Z (almost 4 years ago)
- Default Branch: master
- Last Pushed: 2024-05-01T14:40:17.000Z (2 months ago)
- Last Synced: 2024-05-02T19:49:25.258Z (2 months ago)
- Topics: fedramp, nist, oscal
- Language: Go
- Homepage: http://isimluk.com/posts/2020/12/gocomply-with-oscal-fedramp-introduction-to-oscalkit/
- Size: 10 MB
- Stars: 15
- Watchers: 4
- Forks: 4
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Lists
- awesome-oscal - GoComply's oscalkit - based software development kit and command-line utility for operating on OSCAL data models. (Tools)
README
# oscalkit  [](https://gitter.im/GoComply/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [](https://pkg.go.dev/github.com/gocomply/oscalkit)
> This project has been forked from [docker/oscalkit](https://github.com/docker/oscalkit). [Docker, Inc.](https://www.docker.com/company) did great service to the open source world by releasing initial oscalkit implementation under public domain license. Unfortunately, oscalkit development stalled after March 2019, while [upstream OSCAL](https://github.com/usnistgov/OSCAL) took leap steps and almost re-designed the OSCAL from scratch rendering original oscalkit unusable. This fork is attempt to keep original code lively and re-build community around it.
Barebones Go SDK for the [Open Security Controls Assessment Language (OSCAL)](https://csrc.nist.gov/Projects/Open-Security-Controls-Assessment-Language) which is in development by the [National Institute of Standards and Technology (NIST)](https://www.nist.gov/). A CLI tool is also included for processing OSCAL documents, converting between OSCAL-formatted XML, JSON and YAML. For conversion of Your existing SSPs in form of [OpenControl](https://open-control.org/) or traditional [DOCX files](https://github.com/GoComply/fedramp/issues/3) projects in to OSCAL visit sister project [GoComply/fedramp](https://github.com/GoComply/fedramp).
Documentation for the OSCAL standard can be found at https://pages.nist.gov/OSCAL.
## Installing
You can download the appropriate `gocomply_oscalkit` command-line utility for your system from the [GitHub Releases](https://github.com/gocomply/oscalkit/releases) page. You can move it to an appropriate directory listed in your `$PATH` environment variable. Alternatively, You can fetch latest greatest version by running
```
go get -u github.com/gocomply/oscalkit/cli/gocomply_oscalkit
```
## Usage
```
NAME:
gocomply_oscalkit - OSCAL toolkit
USAGE:
gocomply_oscalkit [global options] command [command options] [arguments...]
VERSION:
0.2.0
COMMANDS:
convert convert between one or more OSCAL file formats and to HTML format
validate validate files against OSCAL XML and JSON schemas
sign sign OSCAL JSON artifacts
generate generates go code against provided profile
implementation generates go code for implementation against provided profile and excel sheet
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--debug, -d enable debug command output
--help, -h show help
--version, -v print the version
```
### Convert between XML and JSON
`gocomply_oscalkit` can be used to convert one or more source files between OSCAL-formatted XML and JSON.
```
NAME:
gocomply_oscalkit convert oscal - convert between one or more OSCAL file formats
USAGE:
gocomply_oscalkit convert oscal [command options] [source-files...]
DESCRIPTION:
Convert between OSCAL-formatted XML and JSON files. The command accepts
one or more source file paths and can also be used with source file contents
piped/redirected from STDIN.
OPTIONS:
--output-path value, -o value Output path for converted file(s). Defaults to current working directory
--output-file value, -f value File name for converted output from STDIN. Defaults to "stdin."
--yaml If source file format is XML or JSON, also generate equivalent YAML output
```
#### Examples
Convert OSCAL-formatted NIST 800-53 declarations from XML to JSON:
$ gocomply_oscalkit convert oscal SP800-53-declarations.xml
Convert OSCAL-formatted NIST 800-53 declarations from XML to JSON via STDIN (note the use of "-"):
$ cat SP800-53-declarations.xml | gocomply_oscalkit convert oscal -
### Signing OSCAL JSON with JWS
`gocomply_oscalkit` can be used to sign OSCAL-formatted JSON artifacts using JSON Web Signature (JWS)
```
NAME:
gocomply_oscalkit sign - sign OSCAL JSON artifacts
USAGE:
gocomply_oscalkit sign [command options] [files...]
OPTIONS:
--key value, -k value private key file for signing. Must be in PEM or DER formats. Supports RSA/EC keys and X.509 certificats with embedded RSA/EC keys
--alg value, -a value algorithm for signing. Supports RSASSA-PKCS#1v1.5, RSASSA-PSS, HMAC, ECDSA and Ed25519
```
The following signing algorithms are supported:
Signing / MAC | Algorithm identifier(s)
:------------------------- | :------------------------------
RSASSA-PKCS#1v1.5 | RS256, RS384, RS512
RSASSA-PSS | PS256, PS384, PS512
HMAC | HS256, HS384, HS512
ECDSA | ES256, ES384, ES512
Ed25519 | EdDSA
#### Examples
Sign OSCAL-formatted JSON using a PEM-encoded private key file and the PS256 signing algorithm:
$ gocomply_oscalkit sign --key jws-example-key.pem --alg PS256 NIST_SP-800-53_rev4_catalog.json
### Validate against XML and JSON schemas
The tool supports validation of OSCAL-formatted XML and JSON files against the corresponding OSCAL XML schemas (.xsd) and JSON schemas. Schemas are packaged with the tool and found automatically based on the type of OSCAL file. XML schema validation requires the `xmllint` tool on the local machine (included with macOS and Linux. Windows installation instructions [here](https://stackoverflow.com/a/21227833))
```
NAME:
gocomply_oscalkit validate - validate files against OSCAL XML and JSON schemas
USAGE:
gocomply_oscalkit validate [command options] [files...]
DESCRIPTION:
Validate OSCAL-formatted XML files against a specific XML schema (.xsd)
or OSCAL-formatted JSON files against a specific JSON schema
```
#### Examples
Validate FedRAMP profile in OSCAL-formatted JSON against the corresponding JSON schema
$ gocomply_oscalkit validate -s oscal-core.json fedramp-annotated-wrt-SP800-53catalog.json
## Developing
`oscalkit` is developed with [Go](https://golang.org/) (1.13+). If you have Docker installed, the included `Makefile` can be used to run unit tests and compile the application for Linux, macOS and Windows. Otherwise, the native Go toolchain can be used.
### Dependency management
Dependencies are managed with [Go 1.11 Modules](https://github.com/golang/go/wiki/Modules). The `vendor/` folder containing the dependencies is checked in with the source for backwards compatibility with previous versions of Go. When using Go 1.11+ with `GO111MODULE=on`, you can verify the dependencies as follows:
$ go mod verify
### Compile
You can use the included `Makefile` to generate binaries for your OS as follows (requires [Docker](https://docs.docker.com/engine/installation/)):
Compile for Linux:
$ GOOS=linux GOARCH=amd64 make
Compile for macOS:
$ GOOS=darwin GOARCH=amd64 make
Compile for Windows:
$ GOOS=windows GOARCH=amd64 make
### Website and documentation
Both the website and corresponding documentation are being developed in `docs/`. The content is developed using the [Hugo](https://gohugo.io/) framework. The static content is generated and published in `docs/public`, which is a separate Git worktree.
The GoDoc for the SDK can be found [here](https://godoc.org/github.com/docker/oscalkit).
### Releasing
The [GoReleaser](https://goreleaser.com/) tool is used to publish `oscalkit` to GitHub Releases. The following release artifacts are currently supported:
- OSX binary
- Linux binary
- Windows binary
- Docker Image
- Homebrew recipe