-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect Index Enforcement of "provided-by" link rel in Components #2073
Comments
Just a heads up from knowledge and experience, the |
Also, I will draft a PR for this, per discussion yesterday that led to @brian-ruf drafting this issue in the first place. This appears to be FedRAMP-specific logic in the index and index enforcement. So for the time being, I will propose deleting it to resolve this bug and FedRAMP can handle it via externalized constraints. This will not overly constraint generic use cases, NIST RMF or otherwise, that do not apply outside the scope of FedRAMP use. |
This may be the same root cause as the issue Telos raised in #2064. I missed that issue when I opened this, and it may be that this issue should be merged with that one. |
Well the related PR (#2075) has been merged and may be released today, so does this point mean the NIST OSCAL Team can hopefully close both? |
Upon review, it appears PR #2075 will resolve this issue. |
Describe the bug
When attempting to relate a "service" component to a "system" component using the using the
//component[@type='service']/link[@rel='provided-by']/@href]
field, theoscal-cli
returns an error, even though the "system" component's UUID is referenced properly.The UUID value is valid as confirmed by:
//component[@type='system' and @uuid=//component[@type='service']/link[@rel='provided-by']/@href]
OSCAL CLI to validate the following code snippet ...
the
oscal-cli
produces the following error ...Who is the bug affecting
SSP Authors who are trying to link "service" components to the "system" component that provides those services.
What is affected by this bug
OSCAL Content, Documentation, Metaschema
How do we replicate this issue
Run the latest OSCAL cli against this file:
valid-SSP.zip
using:
oscal-cli validate valid-SSP.xml
Observe error pasted above
Edit the file to pre-pend a hashtag (
#
) to the UUID value in thelink/@href
and re-run the OSCAL CLI.Observe the same error.
Expected behavior (i.e. solution)
No error - valid content.
Other comments
NOTE 1: This appears to be caused by an incorrect index as defined in the OSCAL SSP Metaschema.
https://github.com/usnistgov/OSCAL/blob/v1.1.2/src/metaschema/oscal_ssp_metaschema.xml#L640-L642
NOTE 2: The documentation is unclear as to whether this value should include a leading hashtag (#) in
//component[@type='service']/link[@rel='provided-by']/@href
.The documentation and metaschema definition seem to suggest the hashtag should not be present; however, when observing a similar use case in the NIST SP 800-53 catalog, the hashtag is present when a
link/@href
is used to relate one control to another control in the same file. Also a leading hashtag is consistent with a URI fragment.Revisions
No response
The text was updated successfully, but these errors were encountered: