Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Question]: How to attach an import-profile as a back-matter resource #1009

Open
2 of 12 tasks
Telos-sa opened this issue Dec 16, 2024 · 5 comments
Open
2 of 12 tasks

Comments

@Telos-sa
Copy link

This is a ...

request - need something additional provided

This relates to ...

  • the FedRAMP OSCAL Registry
  • the FedRAMP OSCAL baselines
  • the Guide to OSCAL-based FedRAMP Content
  • the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
  • the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
  • the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
  • the FedRAMP SSP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAP OSCAL Template (JSON or XML Format)
  • the FedRAMP SAR OSCAL Template (JSON or XML Format)
  • the FedRAMP POA&M OSCAL Template (JSON or XML Format)
  • the FedRAMP OSCAL Validations

What is your feedback?

We are interested in linking our import-profile as a URI fragment (#uuid of a back-matter resource). Is there a certain prop or some other aspect I am missing to achieve this?

"import-profile":{
            "href":"#bad33640-f1fd-5160-a64e-b3ad4a54ba0d"
        }
"back-matter":{
  "resources":[
    {
      "uuid":"bad33640-f1fd-5160-a64e-b3ad4a54ba0d",
      "title":"FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.xml",
      "description":"FedRAMP Low Baseline",
      "props":[
          {
              "name":"type",
              "ns":"http://csrc.nist.gov/ns/oscal",
              "value":"OSCAL Artifacts"
          }
      ],
      "rlinks":[
          {
              "href":"resources/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.xml",
              "media-type":"text/xml",
              "hashes":[
                  {
                      "algorithm":"SHA-384",
                      "value":"9ea7625c840c899ed6f139c974e8811ab5a6c38fa779fb832b20bdc968f99e28252a49a8d6e5cd088851ba1a981fe841"
                  }
              ]
          }
      ]
  }
  ]
}

oscal-cli command and output with stack trace:

oscal-cli validate Hogwarts\ SSP\ -\ 1.0\ \(2024-12-13T174948Z\).json -c fedramp_constraints/fedramp-external-allowed-values.xml fedramp_constraints/fedramp-external-constraints.xml fedramp_constraints/oscal-external-constraints.xml --show-stack-trace
Loading 'file:/Users/13994/Desktop/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z)/fedramp_constraints/fedramp-external-allowed-values.xml'
Loading 'file:/Users/13994/Desktop/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z)/fedramp_constraints/fedramp-external-constraints.xml'
Loading 'file:/Users/13994/Desktop/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z)/fedramp_constraints/oscal-external-constraints.xml'
Validating 'file:///Users/13994/Desktop/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z)/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z).json' as JSON.
An error occurred while evaluating the expression 'resolve-profile(doc(resolve-uri(import-profile/@href)))/catalog'. Unable to execute function 'fn:resolve-profile(profile as node()?) as node()'
gov.nist.secauto.metaschema.core.metapath.MetapathException: An error occurred while evaluating the expression 'resolve-profile(doc(resolve-uri(import-profile/@href)))/catalog'. Unable to execute function 'fn:resolve-profile(profile as node()?) as node()'
	at gov.nist.secauto.metaschema.core.metapath.MetapathExpression.evaluate(MetapathExpression.java:433) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.function.library.MpRecurseDepth.lambda$recurseDepth$0(MpRecurseDepth.java:147) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]
	at java.base/java.util.stream.Streams$StreamBuilderImpl.forEachRemaining(Streams.java:411) ~[?:?]
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]
	at gov.nist.secauto.metaschema.core.metapath.impl.StreamSequence.getValue(StreamSequence.java:63) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.handleLetStatements(DefaultConstraintValidator.java:976) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitAssembly(DefaultConstraintValidator.java:1016) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitAssembly(DefaultConstraintValidator.java:955) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.item.node.IAssemblyNodeItem.accept(IAssemblyNodeItem.java:65) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator.validate(DefaultConstraintValidator.java:142) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.databind.IBindingContext.validate(IBindingContext.java:502) ~[dev.metaschema.java.metaschema-databind-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.databind.IBindingContext.validate(IBindingContext.java:474) ~[dev.metaschema.java.metaschema-databind-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.databind.IBindingContext.validateWithConstraints(IBindingContext.java:558) ~[dev.metaschema.java.metaschema-databind-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.cli.commands.AbstractValidateContentCommand$AbstractValidationCommandExecutor.validate(AbstractValidateContentCommand.java:268) ~[dev.metaschema.java.metaschema-cli-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.cli.commands.AbstractValidateContentCommand$AbstractValidationCommandExecutor.execute(AbstractValidateContentCommand.java:222) ~[dev.metaschema.java.metaschema-cli-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.cli.processor.CLIProcessor$CallingContext.invokeCommand(CLIProcessor.java:521) [dev.metaschema.java.cli-processor-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.cli.processor.CLIProcessor$CallingContext.processCommand(CLIProcessor.java:497) [dev.metaschema.java.cli-processor-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.cli.processor.CLIProcessor.parseCommand(CLIProcessor.java:234) [dev.metaschema.java.cli-processor-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.cli.processor.CLIProcessor.process(CLIProcessor.java:210) [dev.metaschema.java.cli-processor-2.1.0.jar:?]
	at gov.nist.secauto.oscal.tools.cli.core.CLI.runCli(CLI.java:83) [dev.metaschema.oscal.oscal-cli-enhanced-2.4.0.jar:?]
	at gov.nist.secauto.oscal.tools.cli.core.CLI.main(CLI.java:48) [dev.metaschema.oscal.oscal-cli-enhanced-2.4.0.jar:?]
Caused by: gov.nist.secauto.metaschema.core.metapath.MetapathException: Unable to execute function 'fn:resolve-profile(profile as node()?) as node()'
	at gov.nist.secauto.metaschema.core.metapath.function.DefaultFunction.execute(DefaultFunction.java:253) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.cst.StaticFunctionCall.accept(StaticFunctionCall.java:80) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.cst.path.RelativeSlashPath.accept(RelativeSlashPath.java:40) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.MetapathExpression.evaluate(MetapathExpression.java:430) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	... 25 more
Caused by: gov.nist.secauto.metaschema.core.metapath.MetapathException: Fun: Unable to resolve profile 'file:/Users/13994/Desktop/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z)/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z).json#bad33640-f1fd-5160-a64e-b3ad4a54ba0d'
	at gov.nist.secauto.oscal.lib.metapath.function.library.ResolveProfile.resolveProfile(ResolveProfile.java:144) ~[dev.metaschema.oscal.liboscal-java-5.1.0.jar:?]
	at gov.nist.secauto.oscal.lib.metapath.function.library.ResolveProfile.executeOneArg(ResolveProfile.java:126) ~[dev.metaschema.oscal.liboscal-java-5.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.function.DefaultFunction.execute(DefaultFunction.java:240) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.cst.StaticFunctionCall.accept(StaticFunctionCall.java:80) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.cst.path.RelativeSlashPath.accept(RelativeSlashPath.java:40) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.MetapathExpression.evaluate(MetapathExpression.java:430) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	... 25 more
Caused by: gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolutionException: The provided document 'file:/Users/13994/Desktop/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z)/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z).json#bad33640-f1fd-5160-a64e-b3ad4a54ba0d' does not contain a catalog or profile.
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:208) ~[dev.metaschema.oscal.liboscal-java-5.1.0.jar:?]
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:195) ~[dev.metaschema.oscal.liboscal-java-5.1.0.jar:?]
	at gov.nist.secauto.oscal.lib.metapath.function.library.ResolveProfile.resolveProfile(ResolveProfile.java:142) ~[dev.metaschema.oscal.liboscal-java-5.1.0.jar:?]
	at gov.nist.secauto.oscal.lib.metapath.function.library.ResolveProfile.executeOneArg(ResolveProfile.java:126) ~[dev.metaschema.oscal.liboscal-java-5.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.function.DefaultFunction.execute(DefaultFunction.java:240) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.cst.StaticFunctionCall.accept(StaticFunctionCall.java:80) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.cst.path.RelativeSlashPath.accept(RelativeSlashPath.java:40) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	at gov.nist.secauto.metaschema.core.metapath.MetapathExpression.evaluate(MetapathExpression.java:430) ~[dev.metaschema.java.metaschema-core-2.1.0.jar:?]
	... 25 more

The baseline is included in the resources directory, and matches the relative path as shown in the back-matter resource. I've also updated the OSCAL in the telos-fedramp-pilot directory to reflect this.

Where, exactly?

  • OSCAL v1.1.2
  • oscal-cli v2.4.0
  • up-to-date fedramp constraints

Other information

No response

@aj-stein-gsa
Copy link
Contributor

Hi, @Telos-sa. 👋 That seems correct. I will evaluate in your repo to confirm I can reproduce and that there is not a new bug. So can I check your repo?

@Telos-sa
Copy link
Author

@aj-stein-gsa Yes - the repo has the new import-profile structure and has the resources directory included as well.

@aj-stein-gsa
Copy link
Contributor

Sorry for the delay, it seems I added my fork of the repo as a remote with an incorrect name, and thought the cannonical one was behind. It turns out that was on me. I pulled down the local changes, and I do not get this error, it works for me. See below.

me@computer % git branch --show-current
main
me@computer % git rev-parse HEAD
03ddce9a6d1d181f27f5ebf1b664c63e87197571
me@computer % oscal-cli --version
oscal-cli 2.4.0 built at 2024-11-26 17:07 from branch dba6d9c570f0aa42022d9754df42d1dc5fc295d4 (dba6d9c) at https://github.com/metaschema-framework/oscal-cli
liboscal-java  built at 2024-11-26 16:40 from branch 2f3a394fa856e2bc90b74425c639c9bc107ea4e6 (2f3a394) at https://github.com/metaschema-framework/liboscal-java
oscal v1.1.3 built at 2024-11-26 16:40 from branch b123c11bd12c8b8f1bcc8bf85763e5775c0423e9 (b123c11) at https://github.com/usnistgov/OSCAL.git
metaschema-java 2.1.0 built at 2024-11-26T16:21:47+0000 from branch 462da0c64add5b369af740f4d2057643ac72b056 (462da0c) at https://github.com/metaschema-framework/metaschema-java
metaschema 2.1.0 built at 2024-11-26T16:21:47+0000 from branch b6601f7430f83f1a53a11bf32575b69e131bc912 (b6601f7) at https://github.com/metaschema-framework/metaschema.git
me@computer telos-fedramp-pilot % oscal-cli validate '/home/me/telos-fedramp-pilot/Hogwarts SSP - 1.0 (2024-12-13T174948Z)/Hogwarts SSP - 1.0 (2024-12-13T174948Z).json'
Validating 'file:///home/me/telos-fedramp-pilot/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z)/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z).json' as JSON.
Validation identified the following issues:
[WARNING] [/system-security-plan/metadata[1]/party[5]/telephone-number[1]] Value '001-46785-115547' did not match the pattern '^[0-9]{3}[0-9]{1,12}$' at path '/system-security-plan/metadata[1]/party[5]/telephone-number[1]'
[WARNING] [/system-security-plan/metadata[1]/party[7]/telephone-number[1]] Value '123456789-4452' did not match the pattern '^[0-9]{3}[0-9]{1,12}$' at path '/system-security-plan/metadata[1]/party[7]/telephone-number[1]'
[WARNING] [/system-security-plan/metadata[1]/party[8]/telephone-number[1]] Value '12345678522-2' did not match the pattern '^[0-9]{3}[0-9]{1,12}$' at path '/system-security-plan/metadata[1]/party[8]/telephone-number[1]'
[WARNING] [/system-security-plan/metadata[1]/party[11]/telephone-number[1]] Value '1800-123-4567' did not match the pattern '^[0-9]{3}[0-9]{1,12}$' at path '/system-security-plan/metadata[1]/party[11]/telephone-number[1]'
[WARNING] [/system-security-plan/system-implementation[1]/component[10]/protocol[1]] It is a best practice to provide a UUID.
[WARNING] [/system-security-plan/system-implementation[1]/component[11]/protocol[1]] It is a best practice to provide a UUID.
[WARNING] [/system-security-plan/system-implementation[1]/component[13]/protocol[1]] It is a best practice to provide a UUID.
[ERROR] [/system-security-plan/control-implementation[1]/implemented-requirement[82]] The cardinality '0' is below the required minimum '1' for items matching './/by-component'.
[ERROR] [/system-security-plan/back-matter[1]/resource[6]/prop[1]/@value] Value 'OSCAL Artifacts' doesn't match one of 'acronyms, administrators-guide, agreement, artifact, citation, evidence, external-guidance, image, interview-notes, law, logo, plan, policy, procedure, questionnaire, raw-data, regulation, report, rules-of-behavior, screen-shot, standard, system-guide, tool-output, or users-guide' at path '/system-security-plan/back-matter[1]/resource[6]/prop[1]/@value'
[ERROR] [/system-security-plan/back-matter[1]/resource[10]/prop[1]/@value] Value 'separation-of-duties-matrix' doesn't match one of 'acronyms, administrators-guide, agreement, artifact, citation, evidence, external-guidance, image, interview-notes, law, logo, plan, policy, procedure, questionnaire, raw-data, regulation, report, rules-of-behavior, screen-shot, standard, system-guide, tool-output, or users-guide' at path '/system-security-plan/back-matter[1]/resource[10]/prop[1]/@value'
The file 'file:///home/me/telos-fedramp-pilot/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z)/Hogwarts%20SSP%20-%201.0%20(2024-12-13T174948Z).json' is invalid.

Observe how there is no error about profile resolution, so I am not sure what is happening there.

@Telos-sa
Copy link
Author

@aj-stein-gsa After some further testing, this error only occurs when validating against the oscal-external-constraints.xml file (with -c oscal-external-constraints.xml): https://github.com/GSA/fedramp-automation/blob/develop/src/validations/constraints/oscal-external-constraints.xml

@aj-stein-gsa
Copy link
Contributor

this error only occurs when validating against the oscal-external-constraints.xml file (with -c oscal-external-constraints.xml):

Thank you, that is very helpful information. I will track down and triage this issue. I can reproduce the error now.

@aj-stein-gsa aj-stein-gsa moved this from 📋 Backlog to 🔖 Ready in FedRAMP Automation Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: 🔖 Ready
Development

No branches or pull requests

2 participants