Preserve the framework dependencies in the reporting structure #636
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Compliance frameworks were not connected to the root of the graph. On the backend, we iterate from the root to figure out all reporting jobs that get saved. Without this, we don't save the compliance frameworks or controls Not done here, but we should also be preserving the framework dependencies in the graph so that its consistent to how policies work
Create reporting jobs for the chain of frameworks. For example, asset frameworks point to the space framework which point to the global framework which point to some actual frameworks. One issue I ran into was that we have space/asset frameworks and space/asset policies. I chose to not create separate reporting jobs for those because having multiple reporting jobs with the same query is likely to break something. Instead, the policies would just get attached to the existing policy jobs, but the impact is set to unscored
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There are major changes here:
First, compliance frameworks were not connected to the root reporting job. On the backend, we iterate from the root reporting job to figure out all reporting jobs that get saved. Without this, we don't save the compliance frameworks or controls
Second change is the structure of the framework dependencies is preserved in the reporting jobs. For example, asset frameworks point to the space framework which point to the global framework which point to some actual frameworks. This keeps it consistent with the way handle policies.
One issue I ran into was that we have space/asset frameworks and space/asset policies. I chose to not create separate reporting jobs for those because having multiple reporting jobs with the same query is likely to break something. Instead, the policies would just get attached to the existing policy jobs, but the impact is set to unscored