JSON Schema Generation Yields Undesired Allowed Values #240
Comments
aj-stein-nist
added
the
XSLT Implementation
|
@wendellpiez asked that @aj-stein-nist and others help with testing a potential fix after .5 (approximated 4 hours) of developing a bug to mitigate the fix. |
|
Similar behavior in this GHA job run when validating and converting content and this Gitter chat indicate there is a high likelihood this reflects the same bug. I am looking into this to potentially unblock myself of usnistgov/oscal-content#139. |
|
I likely will have to sync up with Wendell as it turns out some of the |
|
@wendellpiez, the serialized XML form of the example as it should look based on transforming with the basic JSON->XML serializer in XPath 3.0 (as we discussed on the call): <map key="type">
<array key="anyOf">
<map>
<string key="type">string</string>
</map>
<map>
<array key="enum">
<string>equivalent-to</string>
<string>equal-to</string>
<string>subset-of</string>
<string>superset-of</string>
<string>intersects-with</string>
</array>
</map>
</array>
</map> |
|
Noting that even a value key is not required for data types allowing an empty string, the XML representation is underspecified: At a minimum we need to relax the requirement for the nominal field value property in the JSON to avoid properties with no values (or empty string values). |
|
Wendell and I paired for this afternoon. We agreed that I would follow up with a minimal Metaschema definition and help stub out tests outside of the more complex definition examples that make it hard to exercise the possible bug, different solutions, and how certain JSON Schema fields should and should not be handled ( |
|
Wendell and I had met a few times and paired and he agreed it is best he work on moving forward the Metaschema "mini" (minimally viable model) using the current version to exposed different allowed values sets and write relevant XSpec tests. I got a little ahead of myself and attempted last night to figure out how I can revive the Metaschema test-suite but it is pretty badly broken for now, as I learned in aj-stein-nist@2e67d27 last night. I will unassign myself for now, but sync up and assist accordingly and support Wendell as-is. |
…alue constraints (where possible) usnistgov#240
Per request from @wendellpiez for debugging, I am going to set this up to add to a test submodule and see emmitted JSON Schema result and validation against catalogs in usnistgov/oscal-content examples.
Per request from @wendellpiez for debugging, I am going to set this up to add to a test submodule and see emmitted JSON Schema result and validation against catalogs in usnistgov/oscal-content examples.
|
Now in a working branch we have the beginnings of XSpec, with analysis: The schema marked CORRECTED3 is both correct and complete, testing both the token datatype and applicable enumerations (i.e., any enumerations not to be suppressed by virtue of a narrowing Next up:
|
|
Looking good so far, just some quick feedback because it is a branch and not a PR yet (note to self: this was reviewed in the above branch at commit wendellpiez@d045cc8):
https://gist.github.com/aj-stein-nist/cff37e5580da4cce0d8b689ddd28f486 I will review again in the morning to make sure I didn't miss anything. |
@wendellpiez, ping ping. I know we discussed via Gitter some limited conversation with Dave, but had you looked at my feedback? It appears the branch (at least remote in github.com/wendellpiez) is still as-is, and I want to make sure we get to this eventually. Lemme know! |
|
Based on our conversation today, the following should guide the use of
|
Reflect Dave's feedback and adjust code per the comment in: usnistgov#240 (comment)
|
Hopefully wrapping this up before the end of the week. |
* Fix JSON Schema generation for #240 and add tests. * Adapt test suite approach per PR feedback. * Final cleanup of unused parameter. The shift in test approach, with the shell entrypoint at ist-metaschema-MAKE-JSON-SCHEMA.xsl and not with the previous make-json-schema-metamap.xsl replaced means that parameter, which was not working particularly well in the previous approach.
aj-stein-nist
moved this from Under Review
to Reviewer Approved
in NIST OSCAL Work Board
* Fix JSON Schema generation for #240 and add tests. * Adapt test suite approach per PR feedback. * Final cleanup of unused parameter. The shift in test approach, with the shell entrypoint at ist-metaschema-MAKE-JSON-SCHEMA.xsl and not with the previous make-json-schema-metamap.xsl replaced means that parameter, which was not working particularly well in the previous approach.
* Fix JSON Schema generation for usnistgov/metaschema#240 and add tests. * Adapt test suite approach per PR feedback. * Final cleanup of unused parameter. The shift in test approach, with the shell entrypoint at ist-metaschema-MAKE-JSON-SCHEMA.xsl and not with the previous make-json-schema-metamap.xsl replaced means that parameter, which was not working particularly well in the previous approach.
Describe the bug
Currently, the JSON Schema generator, for metaschema definitions with
allowed-valueswhereallow-other="no", where itstargetdoes not have a predicate (target=".") or the target is not the default OSCAL namespace (for any target that is nottarget=".[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]"), the JSON generator should not emit the allowed values as part of the JSON Schema. Ifallow-other="yes", then the current enum style of JSON Schema validation, when needed in such cases like it, is not correctly implemented.It currently gets emitted like this:
{ "type" : "string" } }, "required" : [ "type" ], "additionalProperties" : false, "enum" : [ "equivalent-to", "equal-to", "subset-of", "superset-of", "intersects-with" ] }We need it to be adapted to emit JSON Schema like this:
Who is the bug affecting?
OSCAL tool developers want to convert mappings from OSCAL XML to OSCAL JSON and must have the latter validated with JSON Schema after the fact.
What is affected by this bug?
Schema validation with JSON schemas generated from the scheme generator(s) in this repo.
When does this occur?
Consistently.
How do we replicate the issue?
When debugging issues with use of NIST OSCAL automation from community stakeholders in CIS, we were asked to troubleshoot and debug issues validating the emitted JSON file via
ajv -c ajv-formats -s oscal_mapping_schema.json -d CCM_CISControlsv8_Mapping-min.jsonafter converting the mapping in OSCAL XML to OSCAL JSON in CI/CD with GitHub Actions. An example run can be found here with current commit aj-stein-nist/CISControls_OSCAL@cd22c23#diff-b7c9b89f382154d95ec71f7a04dd1b62a11804cd8a3ed0c2d908ad97fba7e66e.The following errors for this seemingly valid OSCAL JSON document instance are below, despite all the correct values being defined for the given fields and assemblies in the document.
/home/runner/work/CISControls_OSCAL/CISControls_OSCAL/git-content/mappings/json/CCM_CISControlsv8_Mapping-min.json invalid [ { keyword: 'enum', dataPath: '/mapping-collection/mappings/maps/0/relationship', schemaPath: '#/properties/relationship/enum', params: { allowedValues: [Array] }, message: 'should be equal to one of the allowed values' }, { keyword: 'type', dataPath: '/mapping-collection/mappings', schemaPath: '#/properties/mappings/anyOf/1/type', params: { type: 'array' }, message: 'should be array' }, { keyword: 'anyOf', dataPath: '/mapping-collection/mappings', schemaPath: '#/properties/mappings/anyOf', params: {}, message: 'should match some schema in anyOf' } ] /home/runner/work/CISControls_OSCAL/CISControls_OSCAL/git-content/mappings/json/CCM_CISControlsv8_Mapping-min.json is invalid.Expected behavior (i.e. solution)
JSON Schema validates properly.
Other Comments
The text was updated successfully, but these errors were encountered: