new feature: create OSCAL json report from compliance operator evidence

[degenaro]

Overview

Provide a harvest report to transform Kubernetes compliance operator evidence from cluster_resource fetcher into a NIST OSCAL Assessment Results collection of Observations in JSON format.

Rationale: standardized version of evidence for multi-cloud and to facilitate creation of NIST OSCAL Assessment Results.

Requirements

• The cluster_resource fetcher produces evidence comprising a JSON file with embedded XML in non-OSCAL format.
• The harvest report is to produce a JSON file comprising NIST OSCAL Assessment Results Observations.
• The harvest report is to produce an enhanced JSON file with additional Observation data when an optional oscal-metadata YAML file is specified.
• Employ transformation technology available from compliance-trestle open source project.

Approach

Write a harvest report that consumes cluster_resource evidence and optional oscal-metadata.yaml to produce compliance_oscal_observations.json.

Steps:

• read evidence from cluster_resource.json.
• read enhancement data from oscal_metadata.yaml, if exists.
• employ trestle transformer to create list of trestle Observations.
• write trestle Observations JSON as compliance_oscal_observations.json.

Security and Privacy

N/A

Test Plan

Employ unit tests comprising representative cluster_resource.json and oscal-metadata.yaml.