fix: align OSCAL AR mapping for target, aggregate-result, and back-matter

jpower432 · jpower432 · commit c0b72a0e5768 · 2026-04-16T20:16:26.000-04:00
Signed-off-by: Jennifer Power &lt;barnabei.jennifer@gmail.com&gt;
diff --git a/gemaraconv/assessment_results.go b/gemaraconv/assessment_results.go
@@ -32,10 +32,11 @@ func EvaluationLogToOSCALAssessmentResults(log gemara.EvaluationLog, opts ...Eva
 	}
 
 	return oscal.AssessmentResults{
-		UUID:     uuid.NewUUID(),
-		Metadata: metadata,
-		ImportAp: oscal.ImportAp{Href: options.importApHref},
-		Results:  []oscal.Result{result},
+		UUID:       uuid.NewUUID(),
+		Metadata:   metadata,
+		ImportAp:   oscal.ImportAp{Href: options.importApHref},
+		Results:    []oscal.Result{result},
+		BackMatter: mappingToBackMatter(log.Metadata.MappingReferences),
 	}, nil
 }
 
@@ -82,9 +83,9 @@ func evaluationLogToResult(log gemara.EvaluationLog, catalog *gemara.ControlCata
 
 	title := fmt.Sprintf("Evaluation: %s", log.Metadata.Id)
 
-	targetComponent := buildTargetComponent(log.Target)
+	targetItem := buildTargetInventoryItem(log.Target)
 	localDefs := oscal.LocalDefinitions{
-		Components: &[]oscal.SystemComponent{targetComponent},
+		InventoryItems: &[]oscal.InventoryItem{targetItem},
 	}
 
 	result := oscal.Result{
@@ -98,7 +99,7 @@ func evaluationLogToResult(log gemara.EvaluationLog, catalog *gemara.ControlCata
 		LocalDefinitions: &localDefs,
 		Props: &[]oscal.Property{
 			{
-				Name:  "result",
+				Name:  "aggregate-result",
 				Value: log.Result.String(),
 				Ns:    oscalUtils.GemaraNamespace,
 			},
@@ -277,26 +278,26 @@ func buildLogEntry(alog *gemara.AssessmentLog, eval *gemara.ControlEvaluation, p
 	return entry
 }
 
-func buildTargetComponent(target gemara.Resource) oscal.SystemComponent {
+func buildTargetInventoryItem(target gemara.Resource) oscal.InventoryItem {
 	description := target.Description
 	if description == "" {
 		description = target.Name
 	}
 
-	return oscal.SystemComponent{
+	return oscal.InventoryItem{
 		UUID:        uuid.NewUUID(),
-		Type:        "this-system",
-		Title:       target.Name,
 		Description: description,
-		Status: oscal.SystemComponentStatus{
-			State: "operational",
-		},
 		Props: &[]oscal.Property{
 			{
 				Name:  "gemara-resource-id",
 				Value: target.Id,
 				Ns:    oscalUtils.GemaraNamespace,
 			},
+			{
+				Name:  "name",
+				Value: target.Name,
+				Ns:    oscalUtils.GemaraNamespace,
+			},
 		},
 	}
 }
diff --git a/gemaraconv/assessment_results_test.go b/gemaraconv/assessment_results_test.go
@@ -142,7 +142,7 @@ func TestEvaluationLogToOSCALAssessmentResults_AssessmentLogEntries(t *testing.T
 	assert.Contains(t, result.AssessmentLog.Entries[1].Title, "REQ-2")
 }
 
-func TestEvaluationLogToOSCALAssessmentResults_TargetComponent(t *testing.T) {
+func TestEvaluationLogToOSCALAssessmentResults_TargetInventoryItem(t *testing.T) {
 	log := makeEvaluationLog(gemara.Actor{Name: "tool", Type: gemara.Software}, []*gemara.AssessmentLog{
 		makeAssessmentLog("REQ-1", "check", gemara.Passed, "", nil),
 	})
@@ -153,12 +153,15 @@ func TestEvaluationLogToOSCALAssessmentResults_TargetComponent(t *testing.T) {
 
 	result := ar.Results[0]
 	require.NotNil(t, result.LocalDefinitions)
-	require.NotNil(t, result.LocalDefinitions.Components)
-	require.Len(t, *result.LocalDefinitions.Components, 1)
-
-	comp := (*result.LocalDefinitions.Components)[0]
-	assert.Equal(t, "Production System", comp.Title)
-	assert.Equal(t, "The prod system", comp.Description)
+	require.NotNil(t, result.LocalDefinitions.InventoryItems)
+	require.Len(t, *result.LocalDefinitions.InventoryItems, 1)
+
+	item := (*result.LocalDefinitions.InventoryItems)[0]
+	assert.Equal(t, "The prod system", item.Description)
+	require.NotNil(t, item.Props)
+	props := *item.Props
+	assert.Equal(t, "my-sys", props[0].Value)
+	assert.Equal(t, "Production System", props[1].Value)
 }
 
 func TestEvaluationLogConverter_ToOSCALAssessmentResults(t *testing.T) {
@@ -173,6 +176,43 @@ func TestEvaluationLogConverter_ToOSCALAssessmentResults(t *testing.T) {
 	assert.Contains(t, ar.Results[0].Title, "eval-converter")
 }
 
+func TestEvaluationLogToOSCALAssessmentResults_BackMatter(t *testing.T) {
+	log := makeEvaluationLog(gemara.Actor{Name: "tool", Type: gemara.Software}, []*gemara.AssessmentLog{
+		makeAssessmentLog("REQ-1", "check", gemara.Passed, "", nil),
+	})
+	log.Metadata.MappingReferences = []gemara.MappingReference{
+		{
+			Id:          "CNSC",
+			Title:       "Cloud Native Security Controls",
+			Version:     "1.0.0",
+			Description: "CNCF security controls catalog",
+			Url:         "https://example.com/cnsc",
+		},
+	}
+
+	ar, err := EvaluationLogToOSCALAssessmentResults(log)
+	require.NoError(t, err)
+
+	require.NotNil(t, ar.BackMatter)
+	require.NotNil(t, ar.BackMatter.Resources)
+	require.Len(t, *ar.BackMatter.Resources, 1)
+
+	resource := (*ar.BackMatter.Resources)[0]
+	assert.Equal(t, "Cloud Native Security Controls", resource.Title)
+	assert.NotEmpty(t, resource.UUID)
+	assertValidJSON(t, ar)
+}
+
+func TestEvaluationLogToOSCALAssessmentResults_NoBackMatterWhenEmpty(t *testing.T) {
+	log := makeEvaluationLog(gemara.Actor{Name: "tool", Type: gemara.Software}, []*gemara.AssessmentLog{
+		makeAssessmentLog("REQ-1", "check", gemara.Passed, "", nil),
+	})
+
+	ar, err := EvaluationLogToOSCALAssessmentResults(log)
+	require.NoError(t, err)
+	assert.Nil(t, ar.BackMatter)
+}
+
 func TestMapActorType(t *testing.T) {
 	assert.Equal(t, "person", mapActorType(gemara.Human))
 	assert.Equal(t, "tool", mapActorType(gemara.Software))
