fix(lib): SOC2 with Rev2022 Framework #2231
Conversation
Missing assessments have been marked in the Excel file with different colours
- Requirement "CC3.2.6" has been split into 2 because it contained the next requirement (the true CC3.2.7) inside it. Ref IDs have been fixed for the "CC3.2" requirement group, but URN IDs haven't changed. Users must be informed of this change so they can perform their assessment correctly. - Fixed Ref IDs for requirement groups "PI1.1", "PI1.2", "PI1.3", "PI1.4", "PI1.5", "P1.1", "P2.1" and "P3.1". URN IDs havent changed. - [WARNING] Requirement groups "PI1.1", "PI1.2", "PI1.3", "PI1.4", "PI1.5", "P1.1", "P2.1" and "P3.1" were assessable when they shouldn't be. The assessability for these groups have been REMOVED! Users should note the assessments made for these groups BEFORE UPDATING the framework and report their assessments to the appropriate requirements. - Added 36 missing requirements for requirement groups "PI1.1", "PI1.2", "PI1.3", "PI1.4", "PI1.5", "P1.1", "P2.1" and "P3.1". - Spanish translation for missing requirements were made with Excel's "TRANSLATE" function.
Removed the "publication_date" field in the Excel file so that the date is updated automatically by "convert_library_v2.py".
WalkthroughThe SOC2-2017 Trust Services Criteria YAML library was updated to version 3, adding versioning metadata, restructuring the processing integrity and privacy sections for more detailed assessable child nodes, adjusting requirement node descriptions and ref_ids, and refining assessability flags. Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant SOC2_Library
participant RequirementNode
User->>SOC2_Library: Request criteria (e.g., Processing Integrity)
SOC2_Library->>RequirementNode: Retrieve non-assessable parent node (e.g., PI1.1)
RequirementNode->>SOC2_Library: Return assessable child nodes (e.g., PI1.1.1, PI1.1.2, ...)
SOC2_Library->>User: Provide detailed, assessable requirements
Suggested reviewers
Poem
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🔭 Outside diff range comments (1)
backend/library/libraries/soc2_2017_with_rev_2022.yaml (1)
1-5200: Duplicate ref_id collisions detectedThe automated check has uncovered the following
ref_idvalues duplicated across the repository, which will cause ambiguous look-ups at runtime:• ESRS
• ISO/IEC
• LPM-OIV-2019
• NSIZM-v3
• SecNumCloud
• TISAX
• ref_id:Each of these identifiers must be unique. Please locate and rename or remove the conflicting entries so that every
ref_idin your YAML libraries is distinct.
🧹 Nitpick comments (3)
backend/library/libraries/soc2_2017_with_rev_2022.yaml (3)
1-2: Prefer folded scalar for long, multi-line valueStoring the
convert_library_versionstring as a single-quoted scalar split across two physical lines is syntactically valid YAML, but it is brittle (indentation sensitive, hard to diff, noisy in git blames).
A folded>block is clearer and removes the need for doubled quotes.-convert_library_version: 'v2 ; Compat Mode: [0] {[v2.1] (DEFAULT) Don''t use any Compatibility - Mode}' +convert_library_version: > + v2 ; Compat Mode: [0] {[v2.1] (DEFAULT) Don't use any Compatibility Mode}
1454-1462:true_cc3.2.6URN prefix is non-standard and may break downstream toolingIntroducing a new naming pattern (
true_…) only for this node is inconsistent with existing URN conventions (ccX.Y.Z).
Consider either:
- Keeping the numeric pattern (e.g.
cc3.2.6a) or- Adding a meta-field such as
replaces: urn:…:cc3.2.5to indicate the split.This avoids ad-hoc prefixes that parsers / UIs will not recognise.
5016-5052: Exact duplicate text between P2.1.1 and P3.1.2The full “Collects Information by Fair and Lawful Means” paragraph appears verbatim in two different criteria.
If the duplication is intentional, consider using YAML anchors/aliases to keep a single source of truth and reduce translation effort.Otherwise, re-word one of the descriptions to highlight the nuance between “Choice & Consent” and “Collection”.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (2)
tools/excel/aicpa/SOC2_2017_with_rev_2022.xlsxis excluded by!**/*.xlsxtools/excel/aicpa/SOC2_2017_with_rev_2022_new.xlsxis excluded by!**/*.xlsx
📒 Files selected for processing (1)
backend/library/libraries/soc2_2017_with_rev_2022.yaml(21 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (10)
- GitHub Check: functional-tests (3.12, chromium)
- GitHub Check: build (3.12)
- GitHub Check: enterprise-startup-functional-test (3.12)
- GitHub Check: enterprise-startup-docker-compose-test
- GitHub Check: startup-functional-test (3.12)
- GitHub Check: startup-docker-compose-test
- GitHub Check: enterprise-functional-tests (3.12, chromium)
- GitHub Check: test (3.12)
- GitHub Check: Analyze (python)
- GitHub Check: Analyze (javascript-typescript)
🔇 Additional comments (2)
backend/library/libraries/soc2_2017_with_rev_2022.yaml (2)
1468-1473: URN / ref_id divergence is easy to misinterpret
urn:…:cc3.2.6now points toref_id: CC3.2.7. Although the description in the PR says URNs stay frozen, consumers that join on the numeric part of the URN will silently map to the wrong reference ID.Please double-check every consumer of the library and consider adding a small compatibility map (old-URN → new-ref_id) in code rather than relying on tribal knowledge.
4488-4494: Parent URN still usespp1.1after the group was renamed toPI1.1All newly added
pi1.1.*nodes reference
parent_urn: …:pp1.1.
If an integrator resolves hierarchy purely by URN, the parent will appear under the legacy “PP” branch even though the visibleref_idsays “PI”. That mismatch may surface as broken breadcrumb paths in UIs.Confirm that the rendering layer keys on
ref_idrather than URN, or update the parent_urns topi1.1.
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (3)
backend/library/libraries/soc2_2017_with_rev_2022.yaml (3)
1-2: Fold the longconvert_library_versionliteral to improve YAML readabilityA single-quoted scalar that spans multiple lines is perfectly valid YAML, but in practice it is hard to read, diff, and copy-paste.
Using the folded style keeps the semantics identical while making the file easier to maintain.-convert_library_version: 'v2 ; Compat Mode: [0] {[v2.1] (DEFAULT) Don''t use any Compatibility - Mode}' +convert_library_version: > + v2 ; Compat Mode: [0] {[v2.1] (DEFAULT) Don't use any Compatibility Mode}
4471-4566:parent_urnstill usespp1.1after the node was re-tagged toPI1.1The parent remains
urn:…:pp1.1 # assessable: false, ref_id: PI1.1while children are now
pi1.1.*.
Technically this works, but the mixedpp/piprefix is confusing and will trip string-based look-ups.- parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.1 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi1.1Remember to update the ancestor node’s own
urn:topi1.1and cascade the same change in every descendantparent_urn.
5135-5189: Content duplication betweenP2.1.1andP3.1.2Both nodes carry an almost identical “Collects Information by Fair and Lawful Means” narrative.
If that is intentional (choice/consent vs. collection sections) keep as-is; otherwise consider referencing a shared text fragment to avoid future drift.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (2)
tools/excel/aicpa/SOC2_2017_with_rev_2022.xlsxis excluded by!**/*.xlsxtools/excel/aicpa/SOC2_2017_with_rev_2022_new.xlsxis excluded by!**/*.xlsx
📒 Files selected for processing (1)
backend/library/libraries/soc2_2017_with_rev_2022.yaml(21 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (8)
- GitHub Check: functional-tests (3.12, chromium)
- GitHub Check: build (3.12)
- GitHub Check: enterprise-startup-functional-test (3.12)
- GitHub Check: enterprise-startup-docker-compose-test
- GitHub Check: startup-functional-test (3.12)
- GitHub Check: startup-docker-compose-test
- GitHub Check: enterprise-functional-tests (3.12, chromium)
- GitHub Check: test (3.12)
🔇 Additional comments (2)
backend/library/libraries/soc2_2017_with_rev_2022.yaml (2)
2028-2086: [COSO] description prefixing looks good – watch for translation driftThe English descriptions were prefixed with “[COSO]”; however, Spanish counterparts for
CC5.2.2-CC5.2.4already contained that prefix before the change.
Verify that automated extract/translate jobs will not duplicate “[COSO]” on the next regeneration.
18-19: No action needed:versionandpublication_dateare consumed downstreamThe YAML loader in
core/models.py(lines 258–330) parses both fields and passes them intoStoredLibrary.objects.create. Additionally, serializers and utils inbackend/library/referenceversionandpublication_date.No further changes required.
| ref_id: CC3.2.5 | ||
| description: "[COSO] Determines How to Respond to Risks \u2014 Risk assessment\ | ||
| \ includes considering how the risk should be managed and whether to accept,\ | ||
| \ avoid, reduce, or share the risk. Identifies Threats to Objectives \u2014\ | ||
| The entity identifies threats to the achievement of its objectives from intentional\ | ||
| \ (including malicious) and unintentional acts and environmental events." | ||
| \ avoid, reduce, or share the risk." | ||
| translations: | ||
| es: | ||
| description: "[COSO] Determina c\xF3mo responder a los riesgos - La evaluaci\xF3\ | ||
| n de riesgos incluye considerar c\xF3mo debe gestionarse el riesgo y si\ | ||
| \ debe aceptarse, evitarse, reducirse o compartirse. Identifica las amenazas\ | ||
| \ a los objetivos - La entidad identifica las amenazas a la consecuci\xF3\ | ||
| n de sus objetivos derivadas de actos intencionados (incluidos los malintencionados)\ | ||
| \ y no intencionados y de acontecimientos del entorno." | ||
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.6 | ||
| \ debe aceptarse, evitarse, reducirse o compartirse." | ||
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:true_cc3.2.6 | ||
| assessable: true | ||
| depth: 3 | ||
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 | ||
| ref_id: CC3.2.6 | ||
| description: "[TSC] Identifies Threats to Objectives \u2014The entity identifies\ | ||
| \ threats to the achievement of its objectives from intentional (including\ | ||
| \ malicious) and unintentional acts and environmental events." | ||
| translations: | ||
| es: | ||
| description: "[TSC] Identifica las amenazas a los objetivos - La entidad\ | ||
| \ identifica las amenazas a la consecuci\xF3n de sus objetivos derivadas\ | ||
| \ de actos intencionados (incluidos los malintencionados) y no intencionados\ | ||
| \ y de acontecimientos del entorno." | ||
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.6 | ||
| assessable: true | ||
| depth: 3 | ||
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 | ||
| ref_id: CC3.2.7 | ||
| description: "[TSC] Identifies Vulnerability of System Components \u2014 The\ |
There was a problem hiding this comment.
Potential URN / ref-ID collision after splitting CC3.2.6
The old node cc3.2.6 keeps its URN but is rebased to ref_id: CC3.2.7, while the new node true_cc3.2.6 also uses ref_id: CC3.2.6.
Even though ref_ids are now unique, many integrations key on the URN alone.
If any stored assessment still references urn:…:cc3.2.6, it will now point to a different textual requirement, which can corrupt history.
- - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.6
+ # ⚠️ Consider renaming the URN as well to keep URN-to-text identity stable
+ - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.7At minimum run a one-off migration that rewrites stored references or adds aliases.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ref_id: CC3.2.5 | |
| description: "[COSO] Determines How to Respond to Risks \u2014 Risk assessment\ | |
| \ includes considering how the risk should be managed and whether to accept,\ | |
| \ avoid, reduce, or share the risk. Identifies Threats to Objectives \u2014\ | |
| The entity identifies threats to the achievement of its objectives from intentional\ | |
| \ (including malicious) and unintentional acts and environmental events." | |
| \ avoid, reduce, or share the risk." | |
| translations: | |
| es: | |
| description: "[COSO] Determina c\xF3mo responder a los riesgos - La evaluaci\xF3\ | |
| n de riesgos incluye considerar c\xF3mo debe gestionarse el riesgo y si\ | |
| \ debe aceptarse, evitarse, reducirse o compartirse. Identifica las amenazas\ | |
| \ a los objetivos - La entidad identifica las amenazas a la consecuci\xF3\ | |
| n de sus objetivos derivadas de actos intencionados (incluidos los malintencionados)\ | |
| \ y no intencionados y de acontecimientos del entorno." | |
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.6 | |
| \ debe aceptarse, evitarse, reducirse o compartirse." | |
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:true_cc3.2.6 | |
| assessable: true | |
| depth: 3 | |
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 | |
| ref_id: CC3.2.6 | |
| description: "[TSC] Identifies Threats to Objectives \u2014The entity identifies\ | |
| \ threats to the achievement of its objectives from intentional (including\ | |
| \ malicious) and unintentional acts and environmental events." | |
| translations: | |
| es: | |
| description: "[TSC] Identifica las amenazas a los objetivos - La entidad\ | |
| \ identifica las amenazas a la consecuci\xF3n de sus objetivos derivadas\ | |
| \ de actos intencionados (incluidos los malintencionados) y no intencionados\ | |
| \ y de acontecimientos del entorno." | |
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.6 | |
| assessable: true | |
| depth: 3 | |
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 | |
| ref_id: CC3.2.7 | |
| description: "[TSC] Identifies Vulnerability of System Components \u2014 The\ | |
| ref_id: CC3.2.5 | |
| description: "[COSO] Determines How to Respond to Risks \u2014 Risk assessment\ | |
| \ includes considering how the risk should be managed and whether to accept,\ | |
| \ avoid, reduce, or share the risk." | |
| translations: | |
| es: | |
| description: "[COSO] Determina c\xF3mo responder a los riesgos - La evaluaci\xF3\ | |
| n de riesgos incluye considerar c\xF3mo debe gestionarse el riesgo y si\ | |
| \ debe aceptarse, evitarse, reducirse o compartirse." | |
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:true_cc3.2.6 | |
| assessable: true | |
| depth: 3 | |
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 | |
| ref_id: CC3.2.6 | |
| description: "[TSC] Identifies Threats to Objectives \u2014The entity identifies\ | |
| \ threats to the achievement of its objectives from intentional (including\ | |
| \ malicious) and unintentional acts and environmental events." | |
| translations: | |
| es: | |
| description: "[TSC] Identifica las amenazas a los objetivos - La entidad\ | |
| \ identifica las amenazas a la consecuci\xF3n de sus objetivos derivadas\ | |
| \ de actos intencionados (incluidos los malintencionados) y no intencionados\ | |
| \ y de acontecimientos del entorno." | |
| # ⚠️ Consider renaming the URN as well to keep URN-to-text identity stable | |
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.7 | |
| assessable: true | |
| depth: 3 | |
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 | |
| ref_id: CC3.2.7 | |
| description: "[TSC] Identifies Vulnerability of System Components \u2014 The\ | |
| \ entity assesses weaknesses in design, implementation, or operation of system components and identifies potential vulnerabilities." |
🤖 Prompt for AI Agents
In backend/library/libraries/soc2_2017_with_rev_2022.yaml between lines 1445 and
1473, there is a URN and ref_id collision caused by splitting the original
CC3.2.6 node into two nodes with overlapping URNs but different ref_ids. To fix
this, update the URNs to be unique by renaming one of the conflicting URNs
(e.g., append a suffix or use a new unique identifier) and ensure all references
in stored assessments are migrated accordingly. Implement a one-off migration
script to rewrite stored references or add alias mappings so that existing data
pointing to the old URN correctly resolves to the intended requirement without
corrupting history.
For practical reasons, requirement groups "PI1.1", "PI1.2", "PI1.3", "PI1.4", "PI1.5", "P1.1", "P2.1" and "P3.1" can again be assessed.
|
For practical reasons, requirement groups |
tarkadia
requested review from
eric-intuitem
and removed request for
eric-intuitem
There was a problem hiding this comment.
Actionable comments posted: 3
♻️ Duplicate comments (2)
backend/library/libraries/soc2_2017_with_rev_2022.yaml (2)
4590-4610: Same parent_urn issue repeats forpi1.2.*childrenSee previous comment – fix all occurrences (
pp1.2,pp1.3, …).
1454-1472: URN / ref_id mismatch still present – risk of data corruption
true_cc3.2.6keepsref_id: CC3.2.6, while the old node keeps the same URN (…:cc3.2.6) but is nowref_id: CC3.2.7.
Integrations that dereference the URN will silently read the wrong text.If renaming the URN is impossible, add an alias list (
previous_urns:) or ship a one-off migration.
🧹 Nitpick comments (1)
backend/library/libraries/soc2_2017_with_rev_2022.yaml (1)
1-2: Single-quoted scalar breaks mid-word – readability & maintainability hitThe
convert_library_versionvalue is split by a hard newline inside the single-quoted scalar.
While technically valid YAML, this makes the string harder to grep for and to diff later.-convert_library_version: 'v2 ; Compat Mode: [0] {[v2.1] (DEFAULT) Don''t use any Compatibility - Mode}' +convert_library_version: > + v2 ; Compat Mode: [0] {[v2.1] (DEFAULT) Don't use any Compatibility Mode}Using the folded style (
>or|) keeps the line break semantics explicit and avoids accidental mid-token splits.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
tools/excel/aicpa/SOC2_2017_with_rev_2022.xlsxis excluded by!**/*.xlsx
📒 Files selected for processing (1)
backend/library/libraries/soc2_2017_with_rev_2022.yaml(18 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (9)
- GitHub Check: test (3.12)
- GitHub Check: startup-docker-compose-test
- GitHub Check: enterprise-startup-docker-compose-test
- GitHub Check: enterprise-startup-functional-test (3.12)
- GitHub Check: startup-functional-test (3.12)
- GitHub Check: build (3.12)
- GitHub Check: functional-tests (3.12, chromium)
- GitHub Check: enterprise-functional-tests (3.12, chromium)
- GitHub Check: Analyze (python)
🔇 Additional comments (1)
backend/library/libraries/soc2_2017_with_rev_2022.yaml (1)
18-19: 👍 Version bump & publication date update look good
No issues spotted with the metadata change.
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi1.5.1 | ||
| assessable: true | ||
| depth: 3 | ||
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.5 | ||
| ref_id: PI1.5.1 | ||
| description: "Protects Stored Items \u2014 Stored items are protected to prevent\ | ||
| \ theft, corruption, destruction, or deterioration that would prevent output\ | ||
| \ from meeting specifications." | ||
| translations: | ||
| es: | ||
| description: "Protege los elementos almacenados - Los art\xEDculos almacenados\ | ||
| \ est\xE1n protegidos para evitar robos, corrupci\xF3n, destrucci\xF3\ | ||
| n o deterioro que impedir\xEDan que la producci\xF3n cumpla con las especificaciones." | ||
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi1.5.2 | ||
| assessable: true | ||
| depth: 3 | ||
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.5 | ||
| ref_id: PI1.5.2 | ||
| description: "Archives and Protects System Records \u2014 System records are\ | ||
| \ archived, and archives are protected against theft, corruption, destruction,\ | ||
| \ or deterioration that would prevent them from being used." | ||
| translations: | ||
| es: | ||
| description: "Archiva y protege los registros del sistema - Los registros\ | ||
| \ del sistema se archivan y los archivos se protegen contra el robo, la\ | ||
| \ corrupci\xF3n, la destrucci\xF3n o el deterioro que impedir\xEDan su\ | ||
| \ uso." | ||
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi1.5.3 | ||
| assessable: true | ||
| depth: 3 | ||
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.5 | ||
| ref_id: PI1.5.3 | ||
| description: "Stores Data Completely and Accurately \u2014 Procedures are in\ | ||
| \ place to provide for the complete, accurate, and timely storage of data." | ||
| translations: | ||
| es: | ||
| description: Almacena datos de forma completa y precisa - Existen procedimientos | ||
| para proporcionar el almacenamiento completo, preciso y oportuno de los | ||
| datos. | ||
| - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi1.5.4 | ||
| assessable: true | ||
| depth: 3 | ||
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.5 | ||
| ref_id: PI1.5.4 | ||
| description: "Creates and Maintains Records of System Storage Activities \u2014\ | ||
| \ Records of system storage activities are created and maintained completely\ | ||
| \ and accurately in a timely manner." | ||
| translations: | ||
| es: | ||
| description: Crea y mantiene registros de las actividades de almacenamiento | ||
| del sistema - Los registros de las actividades de almacenamiento del sistema | ||
| se crean y mantienen de manera completa y precisa de manera oportuna. |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Potential duplicate ref_id: SOC2-2017-Rev-2022 still unaddressed
Past verification flagged duplicates of this top-level ref_id. Please rerun the duplicate-check script after the latest edits.
🏁 Script executed:
#!/usr/bin/env bash
pip install --quiet pyyaml
python - <<'PY'
import yaml, collections, pathlib, sys
data=yaml.safe_load(open("backend/library/libraries/soc2_2017_with_rev_2022.yaml"))
seen, dups=set(),set()
def walk(n):
if isinstance(n,dict):
if 'ref_id' in n:
(dups if n['ref_id'] in seen else seen).add(n['ref_id'])
for v in n.values(): walk(v)
elif isinstance(n,list):
for v in n: walk(v)
walk(data)
print("DUP ref_id:", dups)
sys.exit(bool(dups))
PYLength of output: 74
Duplicate ref_id: SOC2-2017-Rev-2022 still present
The duplicate‐check script continues to report SOC2-2017-Rev-2022 as a repeated ref_id. Please remove or rename the redundant entry so that each ref_id is unique.
• File: backend/library/libraries/soc2_2017_with_rev_2022.yaml
• Run grep -n "ref_id: SOC2-2017-Rev-2022" backend/library/libraries/soc2_2017_with_rev_2022.yaml to locate both occurrences.
🤖 Prompt for AI Agents
In backend/library/libraries/soc2_2017_with_rev_2022.yaml between lines 4776 and
4827, there are duplicate ref_id values labeled SOC2-2017-Rev-2022. Locate all
occurrences of this ref_id using the suggested grep command and ensure each
ref_id is unique by either removing or renaming the redundant entries to
eliminate duplication.
| assessable: true | ||
| depth: 2 | ||
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi | ||
| ref_id: PP1.1 | ||
| ref_id: PI1.1 | ||
| description: The entity obtains or generates, uses, and communicates relevant, | ||
| quality information regarding the objectives related to processing, including | ||
| definitions of data processed and product and service specifications, to support |
There was a problem hiding this comment.
PI1.* groups should now be non-assessable – but assessable: true remains
The PR description says assessability has been removed from groups PI1.1 … PI1.5; however the YAML still flags them as assessable: true.
Change to false to align code with spec.
- assessable: true
+ assessable: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| assessable: true | |
| depth: 2 | |
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi | |
| ref_id: PP1.1 | |
| ref_id: PI1.1 | |
| description: The entity obtains or generates, uses, and communicates relevant, | |
| quality information regarding the objectives related to processing, including | |
| definitions of data processed and product and service specifications, to support | |
| assessable: false | |
| depth: 2 | |
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi | |
| ref_id: PI1.1 | |
| description: The entity obtains or generates, uses, and communicates relevant, | |
| quality information regarding the objectives related to processing, including | |
| definitions of data processed and product and service specifications, to support |
🤖 Prompt for AI Agents
In backend/library/libraries/soc2_2017_with_rev_2022.yaml around lines 4471 to
4477, the assessable flag for the PI1.* groups is incorrectly set to true.
Update the assessable field from true to false for these groups to reflect the
removal of assessability as specified in the PR description.
| parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.1 | ||
| ref_id: PI1.1.1 | ||
| description: "Identifies Functional and Nonfunctional Requirements and Information\ | ||
| \ Specifications \u2014 The entity identifies and communicates functional\ | ||
| \ and nonfunctional re- quirements related to system processing and information\ | ||
| \ specifications required to support the use of products and services." | ||
| translations: | ||
| es: | ||
| description: "Identifica los requisitos funcionales y no funcionales y las\ | ||
| \ especificaciones de informaci\xF3n - La entidad identifica y comunica\ | ||
| \ los requisitos funcionales y no funcionales relacionados con el procesamiento\ | ||
| \ del sistema y las especificaciones de informaci\xF3n necesarias para\ | ||
| \ respaldar el uso de productos y servicios." |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Child nodes still reference legacy parent URNs (pp1.1)
All new pi1.1.x children list
parent_urn: …:pp1.1
but the parent node’s URN is now pi1.1 (or should be). This breaks the tree traversal logic.
Search-and-replace the parent_urn on all newly added PI/PP children.
Generate check:
🏁 Script executed:
#!/usr/bin/env bash
# List any parent_urn that starts with ":pp" under PI1.*
rg -n "parent_urn: .*:pp1\." backend/library/libraries/soc2_2017_with_rev_2022.yamlLength of output: 1510
Update legacy parent URNs in SOC2 YAML children nodes
The PI1.* child entries still point to :pp1.x, but the parent nodes have been renamed to :pi1.x. Update all parent_urn references accordingly to restore correct tree traversal.
• File: backend/library/libraries/soc2_2017_with_rev_2022.yaml
– Lines 4488, 4504, 4558: change pp1.1 → pi1.1
– Lines 4590, 4602, 4614: change pp1.2 → pi1.2
– Lines 4640, 4652, 4664, 4677, 4689: change pp1.3 → pi1.3
– Lines 4715, 4728, 4739, 4752: change pp1.4 → pi1.4
– Lines 4779, 4792, 4806, 4818: change pp1.5 → pi1.5
Example diff snippet:
- parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.1
+ parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi1.1You can also run a global replace:
sed -i 's/:pp1\./:pi1./g' backend/library/libraries/soc2_2017_with_rev_2022.yamlThis will ensure all PI1.x children reference the correct parent URNs.
🤖 Prompt for AI Agents
In backend/library/libraries/soc2_2017_with_rev_2022.yaml around lines 4488 to
4500 and other specified lines, the parent_urn values for PI1.* child entries
incorrectly reference ':pp1.x' instead of the updated ':pi1.x'. Update all these
parent_urn references by replacing ':pp1.' with ':pi1.' to ensure correct
parent-child linkage. You can do this manually at the specified lines or perform
a global search and replace for ':pp1.' to ':pi1.' throughout the file.
Changes
CC3.2.6has been split into 2 because it contained the next requirement (the trueCC3.2.7) inside it. Ref IDs have been fixed for theCC3.2requirement group, but URN IDs haven't changed. Users should be informed of this change so they can perform their assessment correctly. The assessment already performed for this requirement won't be deleted.PI1.1,PI1.2,PI1.3,PI1.4andPI1.5. URN IDs havent changed.PI1.1,PI1.2,PI1.3,PI1.4,PI1.5,P1.1,P2.1andP3.1.TRANSLATEfunction.Requirement groupsPI1.1,PI1.2,PI1.3,PI1.4,PI1.5,P1.1,P2.1andP3.1were assessable when they shouldn't be. The ASSESSABILITY for these groups have been REMOVED! Users should NOTE THE ASSESSMENTS MADE for these groups BEFORE UPDATING the framework in their loaded libraries and report their assessments to the appropriate requirements.For practical reasons, requirement groups
PI1.1,PI1.2,PI1.3,PI1.4,PI1.5,P1.1,P2.1andP3.1can again be assessed.Summary by CodeRabbit
New Features
Improvements
Other Changes