December 15th - December 29th
...
Support for NwHIN eHealth Exchange Certification Review/Remaining Issues
–Set
– Set the "mustUnderstand" attribute on the WS-Addressing Action element in the SOAP response (CONN-1506 & CONN-1428)
•Added • Added supporting tests to regression suite for future compliance
–The – The first resolution to address the Semantic Text removal was only applied to the parameter list in QueryByParameter, still required to be applied for the MatchCriterionList elements in the PD request schema
•Parameters • Parameters MatchAlgorithm & MinimumDegreeMatch
–Researched – Researched and addressed the PurposeOfUse and Role scoping issue discovered as part of NIST DS testing
•Due • Due to the delay in receiving official guidance from Spec factory, set the prefix to be configurable with the default that it is turned off
System Administration Module or Admin GUI (Feature complete)
System Administration Module or Admin GUI documentation
- Requirements wiki page - https://connectopensource.atlassian.net/wiki/x/NQHs
- Design approach - https://connectopensource.atlassian.net/wiki/x/igDs
- Testing artifacts -
Direct enhancements (Feature complete)
Direct documentation
- Requirements wiki page - https://connectopensource.atlassian.net/wiki/x/lwGD
- Design approach - https://connectopensource.atlassian.net/wiki/x/KwGD
- Testing artifacts -https://connectopensource.atlassian.net/wiki/x/EAB3AQ
Other tasks post release
...
– Reviewed CONNECT generated PD request and response against all pertinent manual EHEX certification checklists
• Split the review by service type and consolidated the manual checklists/spreadsheets accordingly
• Several spreadsheets were associated with PD
• No additional findings were found
Validation of Auditing Design against EHEX Checklist
– Auditing isn’t currently a part of EHEX Certification testing manual checklist are published
– The expectation is this will soon be part future requirements
– Took currently Auditing messages and design for Audit improvements and reviewed against EHEX checklists
• Though Audit design addresses all services supported by CONNECT, the review only focused on EHEX supported services
• Review CONNECT generated audit messages against PD initiator and responder manual checklists from Healtheway
• Review CONNECT generated audit messages against QD initiator and responder manual checklists from Healtheway
• On Review CONNECT generated audit messages against RD initiator and responder manual checklists from Healtheway
Functional and Security Testing Improvements
– Followed-up with DoD SCQC team on Fortify next steps and final reviews of Release 4.4 (Updated rule engine)
– Added OWASP Dependency Checks to nightly continuous integration process for jenkins build
– Resolved CONNECT Nightly build issue -- Bimodal Regression test ValidateSAMLResourceURIAttributeTest
– Update regression suite tests to check if all the service responses have the mustUnderstand attribute set in action header element
– Addressed post 4.4 Fortify findings
• Mitigated "Setting Manipulation" finding eliminating ability for an attacker to control values that govern system behavior
• Mitigated "System Information Leak: Internal“ occurring during debugging
Other tasks post release
- Continuing to work on the team generated Technical Stories
- Continued backlog grooming and prioritization
- Beginning preparation for the Change Control Board
JIRA Planning Board of Committed User Stories for Sprint 147:
...
Key | Summary | Issue Type | Priority | Status | Story Points (28) |
---|---|---|---|---|---|
FHAC-3 | Review CONNECT generated PD request and response against the manual eHex Participant testing checklists | Task | Major | CLOSED | 5 |
FHAC-7 * | Research and follow-up on the PurposeOfUse and Role scoping issue discovered as part of NIST DS testing | Task | Major | CLOSED | 1 |
FHAC-8 * | Set "mustUnderstand" attribute on the WS-Addressing Action element in the SOAP response message | Story | Major | CLOSED | 0 |
FHAC-9 * | CONNECT is removing SemanticsText value for MatchCriterionList elements - MatchAlgorithm and MinimumDegreeMatch | Story | Major | CLOSED | 2 |
FHAC-11 | Review CONNECT generated audit messages against PD initiator and responder manual checklists from HealtheWay | Task | Major | CLOSED | 3 |
FHAC-12 * | Review CONNECT generated audit messages against QD initiator and responder manual checklists from HealtheWay | Task | Major | CLOSED | 2 |
FHAC-13 * | Review CONNECT generated audit messages against RD initiator and responder manual checklists from HealtheWay | Task | Major | CLOSED | 2 |
FHAC-15 | Research Set "mustUnderstand" attribute on the WS-Addressing Action element in the SOAP response message | Task | Minor | CLOSED | 2 |
FHAC-16 * | As a CONNECT developer, I would like the CONNECT internal dependencies (WebServices and CommonTypes) to have snapshot releases | Technical Story | Major | CLOSED | 0 |
FHAC-17 | Research Snapshot creation and how it would apply to Common Types and WebServices | Task | Major | CLOSED | 2 |
FHAC-18 | Apply Snapshot plan to Connect Webservices and CommonTypes | Task | Major | CLOSED | 2 |
FHAC-19 | Follow-up with SCQC on Fortify next steps | Task | Major | CLOSED | 1 |
FHAC-20 * | CI - Add OWASP Dependency Check to nightly jenkins build | Task | Major | CLOSED | 2 |
FHAC-23 * | Follow-up on timestamp expiration issue reported by CMS/OFM (CONN-1580) | Task | Major | CLOSED | 0 |
FHAC-24 * | CONNECT Nightly build -- Bimodal Regression test ValidateSAMLResourceURIAttributeTest failing | Task | Minor | CLOSED | 1 |
FHAC-28 * | Mitigate "Setting Manipulation" Fortify Finding | Task | Major | CLOSED | 1 |
FHAC-29 * | Update ValidateWSA-ActionSoapMustUnderstandTest regression suite test | Task | Minor | CLOSED | 1 |
FHAC-34 * | Mitigate "System Information Leak: Internal" Fortify Findings | Task | Minor | CLOSED | 1 |
Issues Not Completed
Key | Summary | Issue Type | Priority | Status | Story Points (2) |
---|---|---|---|---|---|
FHAC-14 | Determine whether EHEX Cert contributions are needed in the main Gateway code | Task | Major | IN PROGRESS | 1 |
FHAC-33 * | Document CONNECT Development Process in Wiki | Task | Minor | IN PROGRESS | 1 |