Constraint error while processing expression: Diagrams

[brian-ruf]

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

What happened?

When running the FedRAMP constraints against the example SSP, errors occurred while evaluating the expressions related to the presence of the authorization boundary, data flow, and network architecture.

The three are nearly identical, and there is a syntax error in the metapath.

Upon closer evaluation, the constraint needed a few revisions, even if the syntax is corrected. This is due in part to ongoing re-modeling work.

Relevant log output

> A gov.nist.secauto.metaschema.core.model.constraint.impl.DefaultExpectConstraint constraint with id 'has-network-architecture-diagram-link-href-target', matching the item at path '/system-security-plan', resulted in an unexpected error. The error was: An error occurred while evaluating the expression 'not(starts-with(system-characteristics/network-architecture/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($network-architecture-link, '#')])'.

>  A gov.nist.secauto.metaschema.core.model.constraint.impl.DefaultExpectConstraint constraint with id 'has-data-flow-diagram-link-href-target', matching the item at path '/system-security-plan', resulted in an unexpected error. The error was: An error occurred while evaluating the expression 'not(starts-with(system-characteristics/data-flow/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($data-flow-link, '#')])'.

> A gov.nist.secauto.metaschema.core.model.constraint.impl.DefaultExpectConstraint constraint with id 'has-authorization-boundary-diagram-link-href-target', matching the item at path '/system-security-plan', resulted in an unexpected error. The error was: An error occurred while evaluating the expression 'not(starts-with(system-characteristics/authorization-boundary/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($authorization-boundary-link, '#')])'.

How do we replicate this issue?

Run oscal-cli v 2.2.0 against the example SSP file using the fedramp-external-constraints.xml file in the develop branch.

Observe the error for each of the three diagram types.

Where, exactly?

This is happening for each //system-characteristics/*/diagram/@href (where the * represents authorization-boundary, data-flow or network-architecture

Other relevant details

The following should be used for each constraint:

doc-available(//system-characteristics/authorization-boundary/diagram/link[not(starts-with(@href, "#"))]/@href)   or
   ( count(//resource[@uuid=substring-after(//system-characteristics/authorization-boundary/diagram/link[starts-with(@href, "#")]/@href, "#") and ./prop[@name='type' and @value='image' and @class='authorization-boundary']])  = 1)

doc-available(//system-characteristics/data-flow/diagram/link[not(starts-with(@href, "#"))]/@href)   or
   ( count(//resource[@uuid=substring-after(//system-characteristics/data-flow/diagram/link[starts-with(@href, "#")]/@href, "#") and ./prop[@name='type' and @value='image' and @class='data-flow']])  = 1)

doc-available(//system-characteristics/network-architecture/diagram/link[not(starts-with(@href, "#"))]/@href)   or
   ( count(//resource[@uuid=substring-after(//system-characteristics/network-architecture/diagram/link[starts-with(@href, "#")]/@href, "#") and ./prop[@name='type' and @value='image' and @class='network-architecture']])  = 1)

Please note, we are actually checking the link if it is not a URI fragment, and it needs to be reachable. We are are aligning the "type" property with core OSCAL and using the @class to provide a more granular typing to meet FedRAMP's needs.

[aj-stein-gsa]

One of the consequences of doing this bug fix is we didn't update docs, so I am pretty sure @Telos-sa demonstrated in office hours that we have not updated docs to match. I will want to discuss during the tail end of standup, but a documentation update is in order.

@Telos-sa, sorry I did not connect the dots before the end of the call. You were right after all, can you please try re-running the constraint with the appropriate props for the affected back-matter resources associated with the authorization and data-flow diagrams to match these examples?

fedramp-automation/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml

Lines 4813 to 4832 in c0ad00e

	<resource uuid="11111111-2222-4000-8000-001000000056">
	<title>Data Flow Diagram</title>
	<description>
	<p>The primary data flow diagram.</p>
	</description>
	<prop name="type" value="image" class="data-flow" />
	<rlink href="./attachments/diagrams/dataflow.png"/>
	<base64 filename="dataflow.png" media-type="image/png">00000000</base64>
	<remarks>
	<p>Section 8.1, Figure 8-3 Data Flow Diagram (graphic)</p>
	<p>This should be referenced in the system-characteristics/data-flow/diagram/link/@href
	flag using a value of "#11111111-2222-4000-8000-001000000056"</p>
	<p>May use <code>rlink</code> with a relative path, or embedded as
	<code>base64</code>.
	</p>
	<p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
	<p>Images must be in sufficient resolution to read all detail when rendered in a browser
	via HTML5.</p>
	</remarks>
	</resource>

fedramp-automation/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml

Lines 4770 to 4790 in c0ad00e

	<resource uuid="11111111-2222-4000-8000-001000000054">
	<title>Boundary Diagram</title>
	<description>
	<p>The primary authorization boundary diagram.</p>
	</description>
	<prop name="type" value="image" class="authorization-boundary" />
	<rlink href="./attachments/diagrams/boundary.png"/>
	<base64 filename="logo.png" media-type="image/png">00000000</base64>
	<remarks>
	<p>Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)</p>
	<p>This should be referenced in the
	system-characteristics/authorization-boundary/diagram/link/@href flag using a value
	of "#11111111-2222-4000-8000-001000000054"</p>
	<p>May use <code>rlink</code> with a relative path, or embedded as
	<code>base64</code>.
	</p>
	<p>FedRAMP prefers <code>base64</code> for images and diagrams.</p>
	<p>Images must be in sufficient resolution to read all detail when rendered in a browser
	via HTML5.</p>
	</remarks>
	</resource>

[Telos-sa]

@aj-stein-gsa I updated the props for these diagrams, and added in "class"="data-flow" and "authorization-boundary" respectively:
This is the data-flow section

"system-characteristics":{
  "data-flow":{
    "description":"shortened description",
    "diagrams":[
      {
          "uuid":"53e12243-b728-545f-9a2b-4ccdc7ac8cac",
          "description":"<![CDATA[<p>Defense Against the Dark Arts Dataflow:</p>\n<p><img alt=\"\" src=\"Screenshot%202024-08-29%20at%2010.15.44%C3%A2%C2%80%C2%AFAM.png\" /><img alt=\"\" height=\"313\" src=\"a4df1d8918-048-0a5\" width=\"430\" /></p>]]>",
          "links":[
              {
                  "href":"#a2353f63-164b-5595-ba94-4e3cabdfc2e5",
                  "rel":"diagram"
              }
          ],
          "caption":"caption test"
      },
      {
          "uuid":"b6d09a97-1868-58d2-9192-0102b26f5233",
          "description":"<![CDATA[<p>The three hooped goal posts were originally barrel-goals, introduced during <a>Goodwin Kneen</a>'s time. At the time of the introduction of the scoring area, they were replaced by baskets on stilts, but whilst these were practical, they did carry an inherent problem: there was no size restriction on the baskets, which differed dramatically from pitch to pitch.<sup><a>[1]</a></sup></p>\n<p><a class=\"image\"><img alt=\"Quidditch Pitch Diagram\" height=\"131\" src=\"250?cb=20100118014711\" width=\"250\" /></a></p>\n<p><img alt=\"\" height=\"270\" src=\"a4df1d8918-056-0a5\" width=\"503\" /></p>\n<p>A diagram of a 17th-century pitch, included in the book <em><a>The Noble Sport of Warlocks</a></em>, by <a>Quintius Umfraville</a></p>\n<p>By <a class=\"mw-redirect\">1620</a>, scoring areas had been added at each end of the pitch, and an additional rule in the game, a 'stooging penalty', meant that only one <a>Chaser</a> was allowed in these areas at any given time, as noted in <a>Quintius Umfraville</a>'s book <em><a>The Noble Sport of Warlocks</a></em>. In addition, the size of the baskets themselves had reduced considerably, although there was still a certain amount of variation between pitches.</p>]]>",
          "links":[
              {
                  "href":"#ded239e3-4d98-5950-9250-25ffd5e11e79",
                  "rel":"diagram"
              }
          ],
          "caption":"caption test"
      }
    ]
  }
}

And these are the corresponding resources

"back-matter":{
  "resources":[
    {
        "uuid":"ded239e3-4d98-5950-9250-25ffd5e11e79",
        "title":"Quidditch.png",
        "description":"Uploaded file.",
        "props":[
            {
                "name":"type",
                "value":"image",
                "class":"data-flow"
            }
        ],
        "rlinks":[
            {
                "href":"resources/Quidditch.png",
                "media-type":"image/png",
                "hashes":[
                    {
                        "algorithm":"SHA-384",
                        "value":"175b5b64f0b454e78e36d1ffb9013a22870dfdd54bcff1492948eb975e15a763318a975aa0e6737006e82f17af38058f"
                    }
                ]
            }
        ]
    },
    {
      "uuid":"a2353f63-164b-5595-ba94-4e3cabdfc2e5",
      "title":"DefenseDarkArts.png",
      "description":"Uploaded file.",
      "props":[
          {
              "name":"type",
              "value":"image",
              "class":"data-flow"
          }
      ],
      "rlinks":[
          {
              "href":"resources/DefenseDarkArts.png",
              "media-type":"image/png",
              "hashes":[
                  {
                      "algorithm":"SHA-384",
                      "value":"062e41873afb46c78553393149268a10e1f45090df43e63289ae8318e187382aaaed32d1c6b75c434400fdfe78b3abeb"
                  }
              ]
          }
      ]
    }
  ]
}

This structure is still causing the critical error:

FATAL: [CRITICAL] [/system-security-plan] has-data-flow-diagram-link-href-target: A gov.nist.secauto.metaschema.core.model.constraint.impl.DefaultExpectConstraint constraint with id 'has-data-flow-diagram-link-href-target', matching the item at path '/system-security-plan', resulted in an unexpected error. The error was: An error occurred while evaluating the expression 'doc-available(resolve-uri(system-characteristics/data-flow/diagram/link[not(starts-with(@href, '#'))]/@href)) or count(//resource[@uuid=substring-after($data-flow-href, '#') and prop[@name='type' and @value='image' and @class='data-flow']]) = 1'. Unable to execute function 'fn:count(arg as item()*) as meta:integer'

Do you see something else that might be causing this error? I tested and the presence of "ns" doesn't matter

[aj-stein-gsa]

@aj-stein-gsa I updated the props for these diagrams, and added in "class"="data-flow" and "authorization-boundary" respectively: This is the data-flow section

...

Do you see something else that might be causing this error? I tested and the presence of "ns" doesn't matter

@Telos-sa, can you please updated sample to your repository for this example and add the folders with the dummy data flow diagram files as well (to be clear, make the dummy image files in "OSCAL SSP/resources" folder per the snippet you provide above)? Thanks again for your bug report and follow-through.

[Telos-sa]

@aj-stein-gsa I just added the files to the repository with all of the resources, and the updated prop structures for data-flow, authorization-boundary, and network-architecture

[aj-stein-gsa]

I confirmed that the updated code and ran the test samples provided from our community partner @Telos-sa and the error is no longer thrown. This work is back to ready to ship now that docs are included.