ICISM: Consider toggling CVE validation between errors and warnings

Description

(Imported from Google Code)
The Metadata Registry uses the ICISM:nonICMarkings attribute for CUI
distribution statements. However, these token values are not valid
according to the controlled vocabulary enumeration outlined by the IC. Need
to determine:

  • Should these values be added to the enumeration?

  • Should MDR change its approach?

  • If none of the above, should it be possible for users to validate a DDMS
    Resource with CVE errors as warnings if they desire? Does this open a
    floodgate for suppressing validation in general?

http://ddmsence.googlecode.com/svn/trunk/data/CVEnumISM/CVEnumISMNonIC.xml

Activity

Show:
Brian Uri
September 18, 2010, 3:19 PM

Completed in Rev 267. documentation.jsp has been updated and should not be reuploaded to the website until after the next release.

Brian Uri
September 18, 2010, 1:04 AM

1) A new property is required, buri.ddmsence.icism.cveValidationAsErrors=true. Setting this to false would add to the ValidationMessages during validation, rather than throwing an InvalidDDMSException.

2) The SecurityAttributes.validate() method should be updated. For each case where ISMVocabulary.validateEnumeration() is called, the property should switch logic to add validation messages instead. This can be done with a private helper method.

3) New unit tests are needed to compare the results of errors vs. warnings.

4) The property should be added to the PropertyReader's configurable property list as "icism.cveValidationAsErrors", and the Documentation on configurable properties should be updated.

5) The documentation for ICISM Security Attributes should be updated to reflect that this property can be set.

Brian Uri
April 21, 2010, 2:00 PM

Pending MDR TT 7401.

Fixed

Assignee

Brian Uri

Reporter

Brian Uri

Labels

None

Fix versions

Priority

Medium