Merge branch 'main' into poc-initial-report

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,30 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: possible-bug
+assignees: ''
+---
+
+### Environment
+Device and OS:  
+App version:    
+Kubernetes distro:  
+Kubernetes version:  
+provider:
+- [ ] kyverno
+- [ ] opa
+
+### Steps to reproduce
+1.
+
+### Expected result
+
+### Actual Result
+
+### Visual Proof (screenshots, videos, text, etc)
+
+### Severity/Priority
+
+### Additional Context
+Add any other context or screenshots about the technical debt here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,22 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: 'enhancement'
+assignees: ''
+---
+
+### Is your feature request related to a problem? Please describe.
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+### Describe the solution you'd like
+
+- **Given** a state
+- **When** an action is taken
+- **Then** something happens
+
+### Describe alternatives you've considered
+(optional) A clear and concise description of any alternative solutions or features you've considered.
+
+### Additional context
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/tech_debt.md

@@ -0,0 +1,19 @@
+---
+name: Tech debt
+about: Record something that should be investigated or refactored in the future.
+title: ''
+labels: 'tech-debt'
+assignees: ''
+---
+
+### Describe what should be investigated or refactored
+
+A clear and concise description of what should be changed/researched. Ex. This piece of the code is not DRY enough [...]
+
+### Links to any relevant code
+
+(optional) i.e. - <https://github.com/defenseunicorns/lula/blob/main/README.md?plain=1#L1>
+
+### Additional context
+
+Add any other context or screenshots about the technical debt here.

.github/pull_request_template.md

@@ -0,0 +1,20 @@
+## Description
+
+...
+
+## Related Issue
+
+Fixes #
+<!-- or -->
+Relates to #
+
+## Type of change
+
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Other (security config, docs update, etc)
+
+## Checklist before merging
+
+- [ ] Test, docs, adr added or updated as needed
+- [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/lula/blob/main/CONTRIBUTING.md) followed

.github/workflows/release.yaml

@@ -91,14 +91,6 @@ jobs:
           name: build-artifacts
           path: bin/
 
-      - name: Get Brew tap repo token
-        id: brew-tap-token
-        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3 # v3.0.0
-        with:
-          application_id: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_ID }}
-          application_private_key: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_SECRET }}
-          organization: defenseunicorns
-
       # Create the GitHub release notes
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
@@ -108,4 +100,3 @@ jobs:
           args: release --rm-dist --debug
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
-          HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.brew-tap-token.outputs.token }}

.github/workflows/scan-codeql.yaml

@@ -42,7 +42,7 @@ jobs:
         uses: ./.github/actions/golang
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           languages: ${{ matrix.language }}
           # config-file: ./.github/codeql.yaml #Uncomment once config file is needed.
@@ -52,7 +52,7 @@ jobs:
 
       - name: Perform CodeQL Analysis
         id: scan
-        uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           category: "/language:${{matrix.language}}"
 

.github/workflows/scorecard.yaml

@@ -46,6 +46,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           sarif_file: results.sarif

.goreleaser.yaml

@@ -42,27 +42,6 @@ snapshot:
 changelog:
   use: github-native
 
-brews:
-  - name: lula
-    repository:
-      owner: defenseunicorns
-      name: homebrew-tap
-      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
-    commit_msg_template: "Brew formula update for {{ .ProjectName }} version {{ .Tag }}"
-    homepage: "https://github.com/defenseunicorns/lula"
-    description: "The Compliance Validator"
-
-  # NOTE: We are using .Version instead of .Tag because homebrew has weird semver parsing rules and won't be able to
-  #       install versioned releases that has a `v` character before the version number.
-  - name: "lula@{{ .Version }}"
-    repository:
-      owner: defenseunicorns
-      name: homebrew-tap
-      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
-    commit_msg_template: "Brew formula update for {{ .ProjectName }} versioned release {{ .Tag }}"
-    homepage: "https://github.com/defenseunicorns/lula"
-    description: "The Compliance Validator"
-
 # Generate a GitHub release and publish the release for the tag
 release:
   github:

demo/oscal-component-kyverno.yaml

@@ -36,12 +36,10 @@ component-definition:
           This control validates that the demo-pod pod in the validation-test namespace contains the required pod label foo=bar in order to establish compliance.
         links:
           - href: '#a7377430-2328-4dc4-a9e2-b3f31dc1dff9'
-            rel: reference
-            text: Lula Validation
+            rel: lula
   back-matter: 
     resources:
     - uuid: a7377430-2328-4dc4-a9e2-b3f31dc1dff9
-      title: Lula Validation
       rlinks:
         - href: lula.dev
       description: >-

demo/oscal-component-opa.yaml

@@ -36,12 +36,10 @@ component-definition:
           This control validates that the demo-pod pod in the validation-test namespace contains the required pod label foo=bar in order to establish compliance.
         links:
           - href: '#a7377430-2328-4dc4-a9e2-b3f31dc1dff9'
-            rel: reference
-            text: Lula Validation
+            rel: lula
   back-matter: 
     resources:
     - uuid: a7377430-2328-4dc4-a9e2-b3f31dc1dff9
-      title: Lula Validation
       rlinks:
         - href: lula.dev
       description: >-

docs/oscal-validation-links.md

@@ -0,0 +1,132 @@
+# Validation Identifiers
+
+- [Validation Identifiers](#validation-identifiers)
+  - [Connecting Links with Lula Validations](#connecting-links-with-lula-validations)
+    - [Rel](#rel)
+  - [Importing Validations](#importing-validations)
+    - [Local Validations](#local-validations)
+    - [Remote Validations](#remote-validations)
+    - [Checksums](#checksums)
+    - [Multiple Validations](#multiple-validations)
+___
+In OSCAL - `links` contains the following fields:
+```yaml
+links:
+  - href: https://www.example.com/
+    rel: reference
+    text: Example
+    media-type: text/html
+    resource-fragment: some-fragment
+```
+
+These links are a "reference to a local or remote resource, that has a specific relation to the containing object" - [Component Definition Links](https://pages.nist.gov/OSCAL-Reference/models/v1.1.2/component-definition/json-reference/#/component-definition/components/links).
+
+As such, links are a native OSCAL attribute that Lula can use to map to Validations. 
+
+## Connecting Links with Lula Validations
+
+After identifying a control and writing a Lula Validation, we need to store that Lula Validation within the OSCAL artifact for referencing.
+
+This is accomplished by adding a new `resource` to the `back-matter` as shown below:
+
+```yaml
+back-matter:
+  resources:
+  - uuid: a7377430-2328-4dc4-a9e2-b3f31dc1dff9
+    description: >-
+      domain:
+        type: kubernetes
+        kubernetes-spec:
+          resources:
+          - name: podsvt 
+            resource-rule:   
+              group: 
+              version: v1
+              resource: pods
+              namespaces: [validation-test] 
+      provider: 
+        type: opa
+        opa-spec:
+          rego: |
+            package validate
+
+            import future.keywords.every
+
+            validate {
+              every pod in input.podsvt {
+                podLabel := pod.metadata.labels.foo
+                podLabel == "bar"
+              }
+            }
+```
+
+Now we need to map an existing control (or Component-Definition Implemented-Requirement) to this Lula Validation. 
+
+### Rel
+The default workflow is to use the rel attribute to indicate that Lula has work to perform.
+
+In the instance of a standard validation - A link to a Lula Validation might look like this:
+```yaml
+links:
+  - href: '#a7377430-2328-4dc4-a9e2-b3f31dc1dff9'
+    rel: lula
+```
+
+Where `href: '#a7377430-2328-4dc4-a9e2-b3f31dc1dff9'` points to an OSCAL object with a UUID reference and `rel: lula` indicates that the link is to a Lula Validation.
+UUID's should always be unique per object in the OSCAL artifact.
+
+
+> [!TIP]
+> You can generate a random UUID using `lula tools uuidgen` or a deterministic UUID using `lula tools uuidgen <string>`.
+
+## Importing Validations
+In addition to storing validaitons in the `BackMatter`, `links` may be used to fetch resources external to the `component-definition`.
+
+### Local Validations
+- must be prefixed with `file:`
+- `file:` must be a relative path to the `component-definition` or an absolute path
+```yaml
+links:
+  - href: file:./validation.yaml
+    rel: lula
+  - href: file:/home/user/validations/validation.yaml
+    rel: lula
+```
+
+### Remote Validations
+- must be prefixed with `https:` or `http:`
+- `https:` or `http:` must be a valid URL
+```yaml
+links:
+  - href: https://example.com/validation.yaml
+    rel: lula
+```
+
+### Checksums
+- A checksum may be provided in the href using the suffix `@<checksum>` 
+- Supports `sha1`, `sha256`, `sha512`, `md5`
+```yaml
+links:
+  - href: https://example.com/validation.yaml@0123456789abcdef
+    rel: lula
+```
+
+### Multiple Validations 
+- A file with multiple validations may be provided in the link.
+- `---` should be used to separate each validation
+- `resource-fragment: <UUID>` will run the validation with the UUID specified
+- `resource-fragment: *` will run all validations
+```yaml
+// Only runs the validation with the UUID of a7377430-2328-4dc4-a9e2-b3f31dc1dff9
+links:
+  - href: https://example.com/multi-validations.yaml
+    rel: lula
+    resource-fragment: '#a7377430-2328-4dc4-a9e2-b3f31dc1dff9'
+// All validations
+  - href: file:./multi-validations.yaml
+    rel: lula
+    resource-fragment: *
+```
+___ 
+> [!NOTE]
+> An example `component-definition` with remote validations can be found [here](../src/test/e2e/scenarios/remote-validations/component-definition.yaml).

docs/version-specification.md

@@ -2,7 +2,6 @@
 In cases where a specific version of Lula is desired, either for typing constraints or desired functionality, a `lula-version` property is recognized in the `description` (component-definition.back-matter.resources[_]):
 ```yaml
 - uuid: 88AB3470-B96B-4D7C-BC36-02BF9563C46C
-  title: Lula Validation
   remarks: >-
     No outputs in payload
   description: |