Sprint 148 Progress Summary

December 29th - January 12th

Executive Summary

Overall Summary

Sprint status is excellent. The Product Team had prioritized the following themes and tasks for Sprint 148.  Themes for the sprint included Partner and Community support 

+ Forum discussions
+ Support for the Federal Agencies Implementations (VA, CMS, DoD, SSA)
+ Community support
+ Post 4.4 Release - Refactoring and Cleanup Tasks
     – Continued Backlog Grooming and JIRA Cleanup
     – Refactoring and Technical User Stories
     – Process Improvements
+ eHealth Exchange Certification Review/Remaining Issues
     – Review of EHEX Certification Manual Checklists for QD and RD
     – Further review of removing Semantic Text values
     – Creation of EHEX Certification notes wiki page
     – Creation of JIRA tickets and the analysis of the Audit logging Improvements Design
+ Work on X12 Audit Requirements and Design
+ Functional and Security Testing Improvements

The team completed 32 points during this holiday impacted sprint.  The continued focus this sprint was on reviewing and addressing any compliance issues related to the eHealth Exchange manual checklists. These reviews were conducted based on the checklists provided off of the Healtheway website as of November 2014. The team pulled in several tickets related to Functional and Security Testing Improvements as more was learned working with the latest security scan rule packs and utilizing additional scanning tools.. Supporting our federal partners and their implementation efforts as well as the open source community continues to be a top priority.  

 

One ticket was not completed related to completing some documentation related to development process improvements.


Burndown:

Sprint Themes and related tickets for Sprint 148:

Partner and Community support

– Support for the VA 4.2.2.2 implementation
    • Researched and isolated a PD/DQ issue related to the subjectRole attribute on inbound requests affecting certain trading partners
– Continued working with the DoD SCQC team answering questions and coordinating security reviews for CONNECT
    • Continued working to develop process and learn tool for review of software dependencies
    • Discussion around certain tech stack components 
– Met to further drive and capture Auditing requirements for X12 and CMS environmental constraints
– Resolved issue in 4.4.1 after providing facilitation concerning a request by SSA made in 4.3.2 with NIST testing
    • SAML PoU attribute, Role declaration and HL7 schemas
– Continued community support for other adopters installing CONNECT and beginning their testing and validation
    • Still a few new forums sign-ups during the holiday season
– Responded to several community questions via the forums

Post 4.4 Release - Refactoring and Cleanup Tasks

– Performed additional grooming and prioritization of current CONNECT Backlog tickets, CCB preparation
– Reviewing and refining of Technical Stories for application improvements and needed refactoring
– Added new application server version, WebSphere 8.5, to the Continuous Integration merge process
– Added resource-reference declarations in GlassFish for web deployment descriptor files
    • Allows support for GlassFish versions 3 & 4
– Worked on refinements to the CONNECT Development process
    • Documented in the wiki and reviewed with team

Support for NwHIN eHealth Exchange Certification Review/Remaining Issues

– Reviewed CONNECT generated QD and RD request and response messages against all pertinent manual EHEX certification checklists
    • Split the review by service type and consolidated the manual checklists/spreadsheets accordingly
    • Several spreadsheets were associated with each service
    • No additional findings requiring changes were found
    • Further research on several optional adapter parameters and the gateway processing of those
    • Overall manually reviewed over 1500 validation checks  contained in the EHEX checklists/spreadsheets
– Created JIRA tickets for Audit services based on EHEX manual checklist review performed in Sprint 147
– Verified against the Audit Updates Design created as part of Release 4.3 scope
– Set the "mustUnderstand" attribute on the WS-Addressing Action element in the SOAP response  (CONN-1506 & CONN-1428)
    • Additional testing and review was performed
– The first resolution to address the Semantic Text removal was only applied to the parameter list in QueryByParameter, still required to be applied for the MatchCriterionList elements in the PD request schema
    • Parameters MatchAlgorithm & MinimumDegreeMatch
    • Found and resolved a related issue with the MinimumDegreeMatch, proper setting of the range variable
– Resolved the PurposeOfUse and Role scoping issue, setting it to be configurable to meet certification as well as any potential trading partner requirements

Functional and Security Testing Improvements

– Addressing findings based on latest Fortify rules pack, continued collaboration with DoD SCQC on findings
    • Mitigated "Race Condition: Singleton Member Field"
    • Mitigated "Insecure Transport: Mail Transmission“
    • Mitigated "Path Manipulation“
    • Mitigated "Log Forging"
– Compared and researched our internal Dependency Check  report with the report supplied from DoD SCQC team (based on 4.4)
    • Also being validated against current nightly CI reports
    • Removed unused transitive dependencies
– Refined test included in the automated Regression Suite – Audit Logging in Passthru

X12 Audit Requirements and Design 
– Further explored what Auditing is required and would be functionally needed for X12 messaging
    • Where in the message flow and CMS workflow should Auditing occur
    • How much of the Document Submission Audit methodology can be leveraged
– Understand the impacts of Auditing and writing data within the CMS 3-zone architecture related to this service
    • Similar constraints and requirements with other services

Other tasks post release

  • Continuing to work on the team generated Technical Stories
  • Continued backlog grooming and prioritization 
  • Beginning preparation for the Change Control Board

JIRA Planning Board of Committed User Stories for Sprint 148:

 

Completed Issues

KeySummaryIssue TypePriorityStatusStory Points (31)
FHAC-4Review CONNECT generated QD request and response against the manual eHex participant testing checklistsTaskMajorCLOSED5
FHAC-5Review CONNECT generated RD request and response against the manual eHex Participant testing checklistsTaskMajorCLOSED5
FHAC-21Research and analyze dependency check report from DoD/SCQCTaskMajorCLOSED5
FHAC-25Mitigate "Race Condition: Singleton Member Field" Fortify FindingTaskMajorCLOSED2
FHAC-26Mitigate "Insecure Transport: Mail Transmission" Fortify FindingTaskMajorCLOSED1
FHAC-31 *Add WebSphere 8.5 application server to CI Merge ProcessTaskMinorCLOSED2
FHAC-32Discuss CMS Audit requirements in 3 zone architectureTaskMinorCLOSED2
FHAC-35Fix the MinimumDegreeMatch in the PD Request for the range between 0 and 100TaskMajorCLOSED2
FHAC-42Create Tickets to Fix CONNECT Audit services for PD,QD and RD services based on EHEX checklist from wiki documentation.TaskMajorCLOSED2
FHAC-49Add resource-ref declarations in glassfish web deployment descriptor filesTaskMinorCLOSED2
FHAC-63 *Remove Audit Logging Passthru Test from Nightly Automated Regression ExceutionTaskMinorCLOSED-
FHAC-64 *OWASP Dependency Check: Remove unused transitive dependenciesTaskMinorCLOSED2
FHAC-65 *Mitigate "Path Manipulation" Fortify FindingsTaskMajorCLOSED-
FHAC-66 *Mitigate "Log Forging" Fortify FindingsTaskMajorCLOSED1

Issues Not Completed

KeySummaryIssue TypePriorityStatusStory Points (1)
FHAC-33Document CONNECT Development Process in WikiTaskMinorIN PROGRESS1

Issues Removed From Sprint

KeySummaryIssue TypePriorityStatusStory Points (1)
FHAC-14Determine whether EHEX Cert contributions are needed in the main Gateway codeTaskMajorOPEN1