Version 0.9.1.52

v0.9.1.52 (February 16, 2021)

Add System Assessment Report tracking to associate assessments and evidence with the system.
Add initial dynamic status information to the project page.
Project page displays mini-dashboard of compliance stats.

Feature changes

• Add System Assessment Report tracking to associate assessments and evidence with the system.
• Add initial dynamic status information to the project page.

UI changes

• Improve page load times for listings with pagination and ordering for project listing and selected component listing.
• Display projects in pages of 10 and selected components by 5.
• Project page displays mini-dashboard of compliance stats.
  • Number of controls implemented out of count of controls.
  • Number of POA&Ms.
  • Count of system components.
  • Approximate overall compliance based on controls implemented / count of controls.

Developer changes

• Properly restrict statement history access to users with system, staff, or admin permissions.
• Avoid name collisions when cloning a component.
• Replaced function-based views with class-based listview for SelectedComponentsList, ProjectList.
• Avoid name collisions when cloning a component.
• Default to not use Django Debug Toolbar. Added new enable_tool_bar parameter option for local/environment.json to allow users to enable(True) or disable(False) the Django Debug Toolbar.
• Adding DummyCache to prevent real caching while running automated tests.
• Refactored use of random package to use secure secrets module.
• Added minor pylint fixes.
• Added the ability to import and export Poams along with the project import/export.
• Load sample/default components into component library during installation to provide users with starting set of components.

Version 0.9.1.51

v0.9.1.51 (February 03, 2021)

UI changes

• Display components alphabetically in component library text listing and in selected components text listing.
• Include a component description and statement count in component library text listing and in selected components text listing.
• Remove admin's "update certified text" option from editing control implementation statements.

Developer changes

• Set statements to delete (CASCADE) when producer_element deleted.
• Set statements to delete (CASCADE) when consumer_element deleted.
• Add methods to Element to get_statements
• Refactor project deletion to properly delete related System (e.g., project.system.root_element), Statements, ElementControls, POAMS, Deployments.

Bug fix

• Fix erroneous control statement save error message.

v0.9.1.50.4 (February 03, 2021)

Bug fix

• Fix importing project to just update the project started.

Version 0.9.1.50.3

v0.9.1.50.3 (Feburary 1st, 2021)

Bug fix

Fix importing project to just update the project started.
UI changes

Remove "Upgrade Project" button from project page action buttons. Upgrade is now in settings page.
Improve styling of app store items.
Tweek general styling of project page question page:
Remove light gray background from project page, question page, task finished page.
Reduce corner radius in focus area blocks.
Widen question area.
Compliance app changes

Lightweight-ato compliance app (installed by default) now displays SSP button below action buttons.
Display "Unknown" when app vendor is set to "None" instead of "none".
Developer changes

Format clean up of style sheets in project, app-store templates.
added functools.lru_cache() decorator to speed a couple funcs.

Version 0.9.1.50.2

v0.9.1.50.2 (January 26, 2021)

Adds support for OSCAL component and statement input for Compliance Apps.
(Currently only supports OSCAL JSON inputs.)
Adds statements to project upon project creation.
Keeps track of app inputs by relating them to the app version.

Includes the following schema update to the app.yaml file of Compliance Apps.
Inputs are supported in the app.yaml file with the following format:

input:
- id: <input_id> (string)
  name: <Input Name> (string)
  type: oscal (Only oscal currently supported) 
  path: <dir/filename.json> (relative file path)
  group: (optional string)

Add deployments to capture system deployments and the inventory items in each deployment.
One system has multiple deployments (e.g., dev, stage, prod) and each deployment contains an inventory of the actual endpoints/items in a deployment of the system. Systems start with several common default (empty) deployments.
The "design" deployment by convention is a special deployment to represent the system architecture.
Deployments maintain a complete version history.
Deployment inventory-items are represented as JSON data object following a scheme that is similar to OSCAL inventory-item section.
Data for deployment inventory-items is assumed to be generated outside of GovReady. It is critical that the inventory items have UUIDs prior to import. Inventory item UUIDs for the life of the instantiated inventory item.
Inventory items in an deployment can be associated with an inventory item in the "design" deployment by referencing the "design" inventory item's UUID. This enablea a virtual persistence of an inventory-item across different instances of the "same" assest, such as a virtual database server.

Feature changes

• Add system deployments with inventory items to track instantiations of the system in real assets.
• Add lightweight-ato to default apps so users can get started easier.
• Add the Django admin documentation generator to provide useful documentation for developers.

UI changes

• Add deployment index page for listing deployments associated with a system.
• Add deployment form page for creating/editing deployments.
• Add deployment history page.

Developer changes

• Add .coveragerc configuration file to ensure we cover and run only tests in locally and in Circleci.
• Add pyup.yml configuration file to have pyup.io pull requests go against develop branch.
• Add controls.Deployment object, related routes, views, templates, and admin to track system deployments and deployment inventory items.
• Add DeploymentForm for Deployment model.
• New '%dict' operator for JSON/YAML output templates
• Pass OSCAL context to JSON/YAML output templates
• New '%dict' operator for JSON/YAML output templates
• Pass OSCAL context to JSON/YAML output templates
• Created a recursive method wait_for_sleep_after that wraps around other functions allowing for drastically shorter wait times necessary compared to peppering var_sleeps.
• Update install scripts.
• Update default and recommended local/environment.json file from first_run and install-govready-q.sh.
• By default, set organization name to "main".
• Add optional PIPUSER parameter to install-govready-q.sh to avoid error of running pip install with --user flag in virtual environments.
• Comment out starting GovReady-Q server automatically because too many edge cases exist to execute that well.
• Update install scripts.
• Update default and recommended local/environment.json file from first_run and install-govready-q.sh.
• By default, set organization name to "main".
• Add optional PIPUSER parameter to install-govready-q.sh to avoid error of running pip install with --user flag in virtual environments.
• Comment out starting GovReady-Q server automatically because too many edge cases exist to execute that well.
• Add method get_answer guidedmodules.models.Task to easily return answers from a project tasks answers.

Data changes

• Add lightweight-ato to default apps so users can get started easier.
• Populate every new system with default deployments design, dev, stage, prod.

Version 0.9.1.49

v.0.9.1.49 (January 12, 2021)

IMPORTANT

ADMIN NOTE: New users registering in your GovReady instance PRIOR TO THIS VERSION may not see any Compliance Apps when starting a project. This bug has been fixed, but ADMINS MUST ADD PERMISSION "guidedmodules | app source | can view app source" TO EACH USER TO FIX PERMISSIONS FOR EXISTING USERS. SEE DJANGO ADMIN CUSTOMER ACTION "add_viewappsource_permission" TO ADD SELECTIVELY ADD THIS PERMISSION TO USERS.

For statements created before this release, you can call the django-simple-history populate command to generate an initial change for preexisting model instances:
python manage.py populate_history --auto and/or python3 manage.py populate_history --auto depending on your python link

Feature changes

• Add default Organizational Defined Parameter values.
• Track batch imports of components (via OSCAL) into component library for tracking and management purposes; enable deletes of batch imports.
• Support defining multiple allowed hosts via the local/environment.json file.
• Allow administrators to change component name and description in Component Library.
• Existing projects can be moved between existing portfolios.
• Edit existing portfolio's title and description.
• Delete existing portfolio.
• Add default Organizational Defined Parameter values.
• Add an autocomplete in component library to look up controls across multiple catalogs for writing a control implementation statement.

UI changes

• New dialog in Component Library for importing components in OSCAL JSON format
• New screens for tracking and deleting batch imports of components (via OSCAL) into component library.
• Add "Edit" button in Component Library for Administrators to rename a component.
• Add "Move Project" action button on project page to move project to a different portfolio.
• Add "Edit Portofolio" links on portfolio page for editing portfolio details and deleting portfolio.
• Conditionally show button to delete portfolio if portfolio is empty and user has permission to change portfolio.
• Support a Select2 autocomplete dropdown selection box in the component library to assign a control when authoring a new component control implementation statement for a component in the library.
• You can now click the history button in a given statement's panel in the controls selected implementation statement page or component library.
• Added error messages for any files that fail validation for Comment Attachment uploads

Data changes

• Add default Organizational Defined Parameter values.
• Add validators argument to the file field in the Attachment model.
• Add history field in the Statement model. This is the source for the new HistoricalStatement table that captures all Statement history.

Developer changes

• New controls.models.ImportRecord model for tracking batch imports of components (via OSCAL) into component library.
• New routes and views related for tracking batch imports of components (via OSCAL) into component library.
• Fix OSCAL component import to use "statement" JSON property.
• Support defining multiple allowed hosts via the local/environment.json file via new allowed_hosts environment parameter.
• Added route controls/api/controlsselect/ and view api_controls_select to get list of controls.
• Modified view save_smt to just save prototype statement when statement is being created in the component library.
• Modified template templates/components/element_detail_tabs.html to use jQuery select2 for autocomplete and search of catalog of controls to add a control to a component.
• Update hidden sid_class field with catalog human readable name. Add hidden field form_source to identufy to save smt view that we are receiving form submission from component library.
• Add 'label' value to oscal.Catalog.cx.get_flattened_controls_all_as_dict.
• Introducing model history tracking with django-simple-history.
• Update various Python libraries.
• Added file extension, size and type validation for Comment Attachment uploads.
• Introducing request profiling with pyinstrument.
• Add default controls.models.OrgParams class to support basic, default generation of orgizational defined parameters.

Bug fixes

• Fix missing "part" field on Component's component statement form and incorrectly displaying the "remarks" field (#1232)
• Fix display of OSCAL into correct tab on system's component's page
• When generating OSCAL component files, emit statement elements with ids that correlate with the control catalog.
• New non-admin users did not have the permission to view appsource. Added permission after the new user is created with the SignupForm from allauth.account.forms.

v.0.9.1.48.1 (December 17, 2020)

Bug fixes

• Fix handling of static files. Create new static-root directory outside of siteapp into which to collect static files.
• Remove bad path reference to select2 javascript libraries in component library page.

Version 0.9.1.48

NOTE
includes version changes from v0.9.1.44 up to v0.9.1.48(latest release)

v.0.9.1.48 (December 15, 2020)

Add Component Library feature pages and improve UI for managing reuse and "certified" component library.

Properly generate JSON, YAML questionnaire output documents from a JSON (or YAML) output template in the compliance app output section. The JSON, YAML output documents are first converted to Python data structures and then populated with information in a variant of Jinja2 substitutions.

Fix tests so they execute successfully in CircleCI.

Feature changes

• Support Compliance As Code reuse of statements via "certified" control sets. This capability is enabled by adding having statements sub-typed to control_implementation_prototype to support local statements sub-typed to control_implementation and control_implementation_prototype with the latter representing the "certified" version of a component-control element. Every control_implementation statement type was given a Django foreign key called prototype to connect that statement to the "certified" version of the control (e.g., control_implementation_prototype). This model supports the features in the UI:

1. Add a component to the system while on components page via autocomplete and create control_implementation statements from the control_implementation_prototype statements
2. Add a component to the system while on control edit page via autocomplete and create control_implementation statements from the control_implementation_prototype statements
3. Notify user that the local statement for a component-control (e.g., control_implementation) was different than the "certified" statement for the component-control (e.g., control_implementation_prototype).
4. Enable viewer to view differences between a component-control (e.g., control_implementation) was different than the "certified" statement for the component-control (e.g., control_implementation_prototype).
5. To update a "certified" statement, enable an administrator to update (e.g. push) the "certified" statement for the component-control (e.g., control_implementation_prototype) text from the a systems' component-control (e.g., control_implementation) text.
6. After a "certified" statement was updated, enable user to copy (e.g. pull) the updated "certified" statement for the component-control (e.g., control_implementation_prototype) text into other systems' a component-control (e.g., control_implementation) text.

• Support generation of JSON, YAML questionnaire output documents with Jinja2 style substitutions, loops, and conditionals. Re-do the 'json' template format to recognize a new %for control structure objects that execute loops.

• Support generation of Word DOCX questionnaire output documents with page numbers, headers, footers, TOC (using pandoc custom reference doc feature).

• Support creating a new component in the library.

UI changes

• Add Component Library page listing all available components.
• Add global navbar link to Component Library.
• Remove Common Control tab from control editor.
• Remove redundent listing of control statements from component description tab.
• Display filler text when component does not have a description.
• Move component implementation statement tab to left of combined statement tab in control editor.
• Updating certified text also updates the HTML block showing the certified text with updated certified text on edit pages.
• Add components (system elements) via an autocomplete to a system on system's selected components page.
• Add label/alert above implementation statement edit box when notifying user if local system statement is synchronized with certified control implementation statement.
• Make statement synchronization status lable/alert clickable to reveal certified statement and diff between local and certified.
• Add buttons for copying certified statement into local statement and for admin to update certified statement from local statement.
• Add autocompletes to make it easy to add a new component to a system and the component's respective certified controls.
• Use Select2 box to add component to system's selected component.
• Add route add_system_component and related view to add a component to a system's selected component.
• Replace the url pattern routing in v0.9.1.46.4 for directing accounts login to home page with custom templates to override default aullauth templates.
• Use Django messaging when adding a component to system's selected component to provide user with better feedback.

Data changes

• Add copy method to Element data model to create a new element (e.g. component) as a copy of existing component.
• Add statements method to Element data model to produce a list of statements of a particular statement_type.

Bug fixes

• Fix multiple loadings of updated smt.body into bootstrap's panel heading section by improved naming of div classes in panel and better targeted update.
• Fix enable_experimental_oscal control. Model method was set incorrectly requiring both enable_experimental_oscal and enable_experimental_opencontrol had to be enabled for either to show up.
• Fix testing issues. Fix tests so they execute successfully in CircleCI.

Developer changes

• Default Selenium tests to headless mode. Add new test_visible parameter option for local/environment.json to force Selenium tests to run in visible or headless mode.
  Add custom-reference.docx MS Word DOCX document to /assets directory to be used by pandoc when generating MS Word output documents in order to provide page numbers, headers, footers, TOC.
• Significantly refactored indentations in control edtor pages to make code folding and div analysis easier.
• Add an ElementForm to create new components (AKA Elements).
• Modified controls.Statement model to link control_implementation statements to
  control_implementation_prototype statements. See commit 5083af.
• Add methods for diff'ing (e.g., comparing) a control_implementation statement against its prototype statement using Google diff-match-patch.
• Avoid duplicative adding of a component to a system causing duplicate statements.
• Avoiding adding a component with no control implementation statements to a system.
• Add all available control implementation statements of a component to a system, even for controls that are not selected controls.
• Avoid adding duplicate control implementation instance statements to a system by checking in the statement model that we are not creating an instance statement when such and statement from prototype already exists.
• Use Django messaging when adding a component to system's selected component to provide user with better feedback.
• Delete already commented-out contol id look up from system's selected components page.
• The work for a component library and certified controls was performed across three branches that were eventually synchronized (approximately commit 1893466) and merged into the master branch:
  • autocomplete_statements_#1066
  • ge/reuse-0903
  • automated-tests-statements

Under development output document formats oscal_json, oscal_yaml,
and oscal_xml are now replaced with json, yaml, and xml respectively.

Format xml still under development and not recommended for regular use.

Formats for json and yaml now support new Jinja2-like tags to enable
parameter substituion and loops inside those formats while Django handles
them as Python objects:

%for
%loop

%if
%then

{{ param }}

Example:

{ "title" : "{{project.system_info.system_name}}",
"published" : "2020-07-01T00:00:00.00-04:00",
"last-modified" : "2020-07-01T00:00:00.00-04:00",
"version" : "0.0",
"oscal-version" : "1.0-Milestone3",
"new-control-stuff": {
  "%for": "control in system.root_element.selected_controls_oscal_ctl_ids",
  "%loop": {
    "%if": "control.lower() in control_catalog",
    "%then":  {
      "uuid": "{{ system.control_implementation_as_dict[control]['elementcontrol_uuid'] }}",
      "control-id": "{{ control.lower() }}",
      "by-component": {
        "%for": "smt in system.control_implementation_as_dict[control]['control_impl_smts']",
        "%loop": {
          "key": "{{ smt.producer_element.uuid }}", 
          "value": { "uuid" : "{{ smt.uuid }}",
            "component-name": "{{   smt.producer_element.name|safe }}",
            "description" : "{{ smt.body|safe }}"
          }
        }
      }
    }
  }
}

• Update various libraries. See changes in requirements.txt.
• Removed instance of using sys.stderr and replaced with logger for proper logging.
• Fix tests so they execute successfully in CircleCI.

Other

• Updated link to jquery-ui.min.js library in fetch-vendor-resources.
• Update version checking for v999 develop branch designation.

v.0.9.1.47.1 (December 02, 2020)

Developer changes

• Minor further tweaks to CSS refactoring.

v.0.9.1.47 (December 01, 2020)

Developer changes

• Significant refactoring of CSS to replace inline styles from as many pages as possible with classes defined in css/govready-q.css stylesheet.

Bug fix

• Fix system_settings methods enable_experimental_oscal and enable_experimental_opencontrol to work properly.

v0.9.1.46.4 (November 25, 2020)

UI changes

• Adding a url pattern for accounts login to ensure proper styling. Also added conditionals the views landing that constructs the signup and login forms.

v0.9.1.46.3 (November 20, 2020)

UI changes

• Add OSCAL downlink link to system component page.

v0.9.1.46.2 (November 19, 2020)
---------------...

Version 0.9.1.50.1-Mesosphere

v0.9.1.50.1 (January 20, 2021)

Add deployments to capture system deployments and the inventory items in each deployment.

One system has multiple deployments (e.g., dev, stage, prod) and each deployment contains an inventory of the actual endpoints/items in a deployment of the system. Systems start with several common default (empty) deployments.

The "design" deployment by convention is a special deployment to represent the system architecture.

Deployments maintain a complete version history.

Deployment inventory-items are represented as JSON data object following a scheme that is similar to OSCAL inventory-item section.
Data for deployment inventory-items is assumed to be generated outside of GovReady. It is critical that the inventory items have UUIDs prior to import. Inventory item UUIDs for the life of the instantiated inventory item.

Inventory items in an deployment can be associated with an inventory item in the "design" deployment by referencing the "design" inventory item's UUID. This enablea a virtual persistence of an inventory-item across different instances of the "same" assest, such as a virtual database server.

Feature changes

• Add system deployments with inventory items to track instantiations of the system in real assets.
• Add lightweight-ato to default apps so users can get started easier.

UI changes

• Add deployment index page for listing deployments associated with a system.
• Add deployment form page for creating/editing deployments.
• Add deployment history page.

Developer changes

• Add .coveragerc configuration file to ensure we cover and run only tests in locally and in Circleci.
• Add pyup.yml configuration file to have pyup.io pull requests go against develop branch.
• Add controls.Deployment object, related routes, views, templates, and admin to track system deployments and deployment inventory items.
• Add DeploymentForm for Deployment model.
• New '%dict' operator for JSON/YAML output templates
• Pass OSCAL context to JSON/YAML output templates
• New '%dict' operator for JSON/YAML output templates
• Pass OSCAL context to JSON/YAML output templates
• Created a recursive method wait_for_sleep_after that wraps around other functions allowing for drastically shorter wait times necessary compared to peppering var_sleeps.
• Update install scripts.
• Update default and recommended local/environment.json file from first_run and install-govready-q.sh.
• By default, set organization name to "main".
• Add optional PIPUSER parameter to install-govready-q.sh to avoid error of running pip install with --user flag in virtual environments.
• Comment out starting GovReady-Q server automatically because too many edge cases exist to execute that well.

Data changes

• Populate every new system with default deployments design, dev, stage, prod.
• Add Lightweight-ato apps to default apps.

v0.9.1.43-mesosphere

• Enables easy upgrade of existing projects to newer versions of the project's compliance app (e.g., questionnaire).
• Improves accessibility issues such as contrast and labeling of form elements.
• Adds grouping value to POA&Ms
• Various bug fixes.

Version 0.9.1.43

• Enables easy upgrade of existing projects to newer versions of the project's compliance app (e.g., questionnaire).
• Improves accessibility issues such as contrast and labeling of form elements.
• Adds grouping value to POA&Ms
• Various bug fixes.