Protocol assemblies can be defined in SSPs empty without port-ranges #1521
Comments
Potentially we can fix this in 1.1 (not yet sprint assigned, just an estimate of the milestone per discussion in issue triage). |
|
Since neither
|
|
This is what I'm looking at for the fix. I tried to base on the other tests I saw in OSCAL, so if someone could double check me for obvious test syntax problems. The plan:
This covers:
<!-- Added Contraints as Warnings -->
<constraint>
<expect level="WARNING" id="port-range-start-and-end-not-specified" target="." test="exists(@start) and exists(@end)">
<message>If a protocol is defined, it should include a start and end port range. To define a single port, the start and end should be the same value.</message>
</expect>
<expect level="WARNING" id="port-range-start-specified-with-no-end" target="." test="exists(@start) and not(exists(@end))">
<message>A start port exists, but an end point does not. To define a single port, the start and end should be the same value.</message>
</expect>
<expect level="WARNING" id="port-range-end-specified-with-no-start" target="." test="not(exists(@start)) and exists(@end)">
<message>An end point exists, but a start port does not. To define a single port, the start and end should be the same value.</message>
</expect>
<expect level="WARNING" id="port-range-end-date-is-before-start-date" target="." test="@start ≤ @end">
<message>The port range specified has an end port that is less than the start port.</message>
</expect>
</constraint>If this looks good I'll work it up in a PR to develop. |
|
@Compton-NIST and @GaryGapinski - I think Gary brings very good points, that both |
Looks good so far, but just draft the PR and we will review it there. |
I set it at the warning level with the expectation that this would not break existing implementations of OSCAL by unexpectedly failing validations. We can always escalate the level of the constraint in a breaking release. |
github-project-automation
bot
moved this from Under Review
to Done
in NIST OSCAL Work Board
…gov#1674) * Require (Warn) port start and end when protocol is specified. usnistgov#1521 * Fix less than/equal entity in test. usnistgov#1521
…gov#1674) * Require (Warn) port start and end when protocol is specified. usnistgov#1521 * Fix less than/equal entity in test. usnistgov#1521
…gov#1674) * Require (Warn) port start and end when protocol is specified. usnistgov#1521 * Fix less than/equal entity in test. usnistgov#1521
Describe the bug
Per discussion with @david-waltermire-nist, @iMichaela, and @GaryGapinski with an external stakeholder, it was determined that vanilla NIST OSCAL (in
1.x.yreleases) permit aprotocolassembly to be defined implemented without aport-rangewithin or any other semantically meaningful detail documented, but is optional. Per discussion with the team, it is advisable to add a warning constraint (or pending further feedback, a schema modification but this would be backwards-compatibility breaking) to inform developers and users the protocol definition will only logically be useful without port ranges.Who is the bug affecting
Tool authors and security practitioners who want to properly document protocol usage in a SSP component accurately without error and missing meaningful information.
What is affected by this bug
Documentation, Metaschema, Modeling
How do we replicate this issue
system-security-plan.componentin the SSP from 1.<protocol />within the component from 2.oscal-clitool. Observe no warning or other form of output indicating that aprotocolwithout aport-rangeis missing meaningful port information.Expected behavior (i.e. solution)
A constraint is implemented to warn the developers or users that the protocol is missing meaningful port range information.
Other comments
No response
The text was updated successfully, but these errors were encountered: