OSCAL-CLI (system-implementation/component Constraint issues #186
Labels
bug
Something isn't working
Comments
|
Also, I did not notice this in the OSCAL repository. As this is a report about processing of data instances with the CLI, I will transfer this to the oscal-cli repository. Thanks for your report. |
|
Hi @Telos-sa, let's address the ambiguity in the Metaschema module, documentation string, and the tool error that you have reported.
This refers to this Metaschema constraint, which is to say the protocol is only allowed within component definitions only of Now, let's address the other part.
First, I see this example is in XML (thanks for reporting with a full example; seriously, this is very much appreciated! I bring up XML because, with XML schema language and the Metaschema constraints expressed by them, the order is deterministic (not like JSON): you must put them in the correct order. So in both cases, these are correct behavior and expected per the schema. If I misunderstood, feel free to reopen this issue and I will examine accordingly. |
|
Thanks AJ,
I think it would be a good idea to expand on the protocol tag to include software and interconnection. I provided some of the examples, from questions I've had. I can always create a ticket for tracking. Wasnt sure if these were considerations and if there is any guidance on how to handle. Making the tag available for other components and expanding the use case (While keeping it as not required), would give local organizations the ability to define their requirements as a layer above the OSCAL model, without their needing to add a prop.
1. Is service considering the software component, and how it is being leveraged? Or should software also have the tag for port/protocol?
2. Communication between two inventory items (Web server and DB), should that be considered a service or interconnection?
3. Communication between two systems, (interconnection), should API be considered a secondary service that is supporting the interconnection (requiring two component entries)
4. Are cryptographic modules considered a component, or should they instead be leveraged to describe the security of a component/inventory/dataflow of service?
5. Customer/admin access : should that be a service < IE describing apache (software) that hosts the webapp on 443 for customer access? OR SSH (Service) that supports admin access to the inventory > or an interconnection < since the connection traverses the boundary >
Lacy
Stephanie Lacy | Senior Solutions Architect
***@***.*** | www.telos.com<http://www.telos.com/>
[signature_19392405]
…________________________________
From: A.J. Stein ***@***.***>
Sent: Monday, August 28, 2023 11:26 AM
To: usnistgov/oscal-cli
Cc: Telos Solutions Architects; Mention
Subject: [Caution: External] Re: [usnistgov/oscal-cli] OSCAL-CLI (system-implementation/component Constraint issues (Issue #186)
Hi @Telos-sa<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Telos-2Dsa&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=WxzB9eK6AiNLqU0fuJDh3OVFmjmWljhPqGWiZrn1WH8&e=>, let's address the ambiguity in the Metaschema module, documentation string, and the tool error that you have reported.
ERROR] [/system-security-plan/system-implementation[1]/component[12]] Expect constraint ***@***.***<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_type&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=OJCOa8JmR4bNZf5tmfdzFe7dsp-CK5MsWXA7tdTS-EY&e=>='service')]/protocol))' did not match the data at path '/system-security-plan/system-implementation[1]/component[12]'
Cannot determine what the error means, to correct.
This refers to this Metaschema constraint<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_usnistgov_OSCAL_blob_ef4df067c280e718e107c646f7567c053c2abfc8_src_metaschema_oscal-5Fcomponent-5Fmetaschema.xml-23L235&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=vOT-cJsbP9NQjVwIMZOho6UttRz1faf6B_8pV0lP73E&e=>, which is to say the protocol is only allowed within component definitions only of type="service" and not others. If you wish to recommend a change to this requirement, we recommend you open a separate issue for the OSCAL models in usnistgov/OSCAL<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_usnistgov_OSCAL_issues_new&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=rGfPw7SckFtMZbep8gFxAWGIuJOj4Nas6DwnIPgJYsM&e=>. Sorry to ask this after I relocated the issue, I didn't mean to give you the run-around.
Now, let's address the other part.
However the attributes "end" and "start" are swapped, resulting in additional warnings.
First, I see this example is in XML (thanks for reporting with a full example; seriously, this is very much appreciated! I bring up XML because, with XML schema language and the Metaschema constraints expressed by them, the order is deterministic (not like JSON): you must put them in the correct order.
So in both cases, these are correct behavior and expected per the schema. If I misunderstood, feel free to reopen this issue and I will examine accordingly.
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_usnistgov_oscal-2Dcli_issues_186-23issuecomment-2D1695897633&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=LGkBM2k6k1qw6LRtgnm9Y_j6J06SmGDNS4azj2cvwFs&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_A6KF2RPGYUNA56BZYFQNGY3XXS2CDANCNFSM6AAAAAA365KRZY&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=jtzaf4WLEF_hnxyGGtw9sxR6JqJ5ayVLpLASDj0gZVs&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Good Morning,
This is perfect. I think I am going to submit an enhancement for the interconnections. And it would be great to work out a model for presenting protocols within the edgecases, just to confirm the findings.
Thanks AJ!
Lacy
Stephanie Lacy | Senior Solutions Architect
***@***.*** | www.telos.com<http://www.telos.com/>
[signature_19392405]
…________________________________
From: A.J. Stein ***@***.***>
Sent: Monday, August 28, 2023 11:26 AM
To: usnistgov/oscal-cli
Cc: Telos Solutions Architects; Mention
Subject: [Caution: External] Re: [usnistgov/oscal-cli] OSCAL-CLI (system-implementation/component Constraint issues (Issue #186)
Hi @Telos-sa<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Telos-2Dsa&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=WxzB9eK6AiNLqU0fuJDh3OVFmjmWljhPqGWiZrn1WH8&e=>, let's address the ambiguity in the Metaschema module, documentation string, and the tool error that you have reported.
ERROR] [/system-security-plan/system-implementation[1]/component[12]] Expect constraint ***@***.***<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_type&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=OJCOa8JmR4bNZf5tmfdzFe7dsp-CK5MsWXA7tdTS-EY&e=>='service')]/protocol))' did not match the data at path '/system-security-plan/system-implementation[1]/component[12]'
Cannot determine what the error means, to correct.
This refers to this Metaschema constraint<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_usnistgov_OSCAL_blob_ef4df067c280e718e107c646f7567c053c2abfc8_src_metaschema_oscal-5Fcomponent-5Fmetaschema.xml-23L235&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=vOT-cJsbP9NQjVwIMZOho6UttRz1faf6B_8pV0lP73E&e=>, which is to say the protocol is only allowed within component definitions only of type="service" and not others. If you wish to recommend a change to this requirement, we recommend you open a separate issue for the OSCAL models in usnistgov/OSCAL<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_usnistgov_OSCAL_issues_new&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=rGfPw7SckFtMZbep8gFxAWGIuJOj4Nas6DwnIPgJYsM&e=>. Sorry to ask this after I relocated the issue, I didn't mean to give you the run-around.
Now, let's address the other part.
However the attributes "end" and "start" are swapped, resulting in additional warnings.
First, I see this example is in XML (thanks for reporting with a full example; seriously, this is very much appreciated! I bring up XML because, with XML schema language and the Metaschema constraints expressed by them, the order is deterministic (not like JSON): you must put them in the correct order.
So in both cases, these are correct behavior and expected per the schema. If I misunderstood, feel free to reopen this issue and I will examine accordingly.
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_usnistgov_oscal-2Dcli_issues_186-23issuecomment-2D1695897633&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=LGkBM2k6k1qw6LRtgnm9Y_j6J06SmGDNS4azj2cvwFs&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_A6KF2RPGYUNA56BZYFQNGY3XXS2CDANCNFSM6AAAAAA365KRZY&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=jtzaf4WLEF_hnxyGGtw9sxR6JqJ5ayVLpLASDj0gZVs&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
3 tasks
|
You're welcome, let me know if there is anything you need from the team to help make such an issue (in that case, do it in usnistgov/OSCAL, and reference this issue), I just want to shunt the tickets around to make sure the team knows how to keep organized. Thanks again!
…________________________________
From: Telos-sa ***@***.***>
Sent: Wednesday, August 30, 2023 7:18 AM
To: usnistgov/oscal-cli ***@***.***>
Cc: Stein, A.J. Mr. (Fed) ***@***.***>; State change ***@***.***>
Subject: Re: [usnistgov/oscal-cli] OSCAL-CLI (system-implementation/component Constraint issues (Issue #186)
Good Morning,
This is perfect. I think I am going to submit an enhancement for the interconnections. And it would be great to work out a model for presenting protocols within the edgecases, just to confirm the findings.
Thanks AJ!
Lacy
Stephanie Lacy | Senior Solutions Architect
***@***.*** | www.telos.com<http://www.telos.com/>
[signature_19392405]
________________________________
From: A.J. Stein ***@***.***>
Sent: Monday, August 28, 2023 11:26 AM
To: usnistgov/oscal-cli
Cc: Telos Solutions Architects; Mention
Subject: [Caution: External] Re: [usnistgov/oscal-cli] OSCAL-CLI (system-implementation/component Constraint issues (Issue #186)
Hi @Telos-sa<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Telos-2Dsa&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=WxzB9eK6AiNLqU0fuJDh3OVFmjmWljhPqGWiZrn1WH8&e=>, let's address the ambiguity in the Metaschema module, documentation string, and the tool error that you have reported.
ERROR] [/system-security-plan/system-implementation[1]/component[12]] Expect constraint ***@***.***<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_type&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=OJCOa8JmR4bNZf5tmfdzFe7dsp-CK5MsWXA7tdTS-EY&e=>='service')]/protocol))' did not match the data at path '/system-security-plan/system-implementation[1]/component[12]'
Cannot determine what the error means, to correct.
This refers to this Metaschema constraint<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_usnistgov_OSCAL_blob_ef4df067c280e718e107c646f7567c053c2abfc8_src_metaschema_oscal-5Fcomponent-5Fmetaschema.xml-23L235&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=vOT-cJsbP9NQjVwIMZOho6UttRz1faf6B_8pV0lP73E&e=>, which is to say the protocol is only allowed within component definitions only of type="service" and not others. If you wish to recommend a change to this requirement, we recommend you open a separate issue for the OSCAL models in usnistgov/OSCAL<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_usnistgov_OSCAL_issues_new&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=rGfPw7SckFtMZbep8gFxAWGIuJOj4Nas6DwnIPgJYsM&e=>. Sorry to ask this after I relocated the issue, I didn't mean to give you the run-around.
Now, let's address the other part.
However the attributes "end" and "start" are swapped, resulting in additional warnings.
First, I see this example is in XML (thanks for reporting with a full example; seriously, this is very much appreciated! I bring up XML because, with XML schema language and the Metaschema constraints expressed by them, the order is deterministic (not like JSON): you must put them in the correct order.
So in both cases, these are correct behavior and expected per the schema. If I misunderstood, feel free to reopen this issue and I will examine accordingly.
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_usnistgov_oscal-2Dcli_issues_186-23issuecomment-2D1695897633&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=LGkBM2k6k1qw6LRtgnm9Y_j6J06SmGDNS4azj2cvwFs&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_A6KF2RPGYUNA56BZYFQNGY3XXS2CDANCNFSM6AAAAAA365KRZY&d=DwMCaQ&c=fwF34uzOsSLA_QyctP8xMw&r=pfbmGckWtc_qcwAJ-keRNhRhyEJgJRmWabzEn4YEDpk&m=ENDkZCAIHiB8Lh3gAWWbdAwcXyR-lqOBaPZb8ZV6I1AKKscPJr77BU3We_N7phaq&s=jtzaf4WLEF_hnxyGGtw9sxR6JqJ5ayVLpLASDj0gZVs&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
—
Reply to this email directly, view it on GitHub<#186 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AWUGO24V6TMNUPEY7WD6OIDXX4ORTANCNFSM6AAAAAA365KRZY>.
You are receiving this because you modified the open/close state.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
ERROR] [/system-security-plan/system-implementation[1]/component[12]] Expect constraint 'not(exists((.)[not(@type='service')]/protocol))' did not match the data at path '/system-security-plan/system-implementation[1]/component[12]'
Cannot determine what the error means, to correct.
This is the structure that was followed:
However the attributes "end" and "start" are swapped, resulting in additional warnings.
[WARNING] [/system-security-plan/system-implementation[1]/component[12]/protocol[1]] It is a best practice to provide a UUID.
[WARNING] [/system-security-plan/system-implementation[1]/component[12]/protocol[1]/port-range[1]] A start port exists, but an end point does not. To define a single port, the start and end should be the same value.
[WARNING] [/system-security-plan/system-implementation[1]/component[12]/protocol[1]/port-range[1]] An end point exists, but a start port does not. To define a single port, the start and end should be the same value.
[ERROR] [/system-security-plan/system-implementation[1]/component[13]] Expect constraint 'not(exists((.)[not(@type='service')]/protocol))' did not match the data at path '/system-security-plan/system-implementation[1]/component[13]'
[WARNING] [/system-security-plan/system-implementation[1]/component[13]/protocol[1]] It is a best practice to provide a UUID.
[WARNING] [/system-security-plan/system-implementation[1]/component[13]/protocol[1]/port-range[1]] A start port exists, but an end point does not. To define a single port, the start and end should be the same value.
[WARNING] [/system-security-plan/system-implementation[1]/component[13]/protocol[1]/port-range[1]] An end point exists, but a start port does not. To define a single port, the start and end should be the same value.
[WARNING] [/system-security-plan/system-implementation[1]/component[14]/protocol[1]] It is a best practice to provide a UUID.
[WARNING] [/system-security-plan/system-implementation[1]/component[14]/protocol[1]/port-range[1]] A start port exists, but an end point does not. To define a single port, the start and end should be the same value.
[WARNING] [/system-security-plan/system-implementation[1]/component[14]/protocol[1]/port-range[1]] An end point exists, but a start port does not. To define a single port, the start and end should be the same value.
[WARNING] [/system-security-plan/system-implementation[1]/component[15]/protocol[1]] It is a best practice to provide a UUID.
[WARNING] [/system-security-plan/system-implementation[1]/component[15]/protocol[1]/port-range[1]] A start port exists, but an end point does not. To define a single port, the start and end should be the same value.
[WARNING] [/system-security-plan/system-implementation[1]/component[15]/protocol[1]/port-range[1]] An end point exists, but a start port does not. To define a single port, th
[FedRAMP---Major-System-Boundary_OSCAL-export_20230823.zip](https://github.com/usnistgov/OSCAL/files
e start and end should be the same value.
Please confirm the source of the bug, and if it is a requirement that the attributes are in specific order for the oscal-cli
Attached the SSP package for review:
FedRAMP---Major-System-Boundary_OSCAL-export_20230823.zip
Who is the bug affecting
Components with protocol tag
What is affected by this bug
Tooling & API
How do we replicate this issue
Load the SSP provided into the OSCAL CLI and validate
Expected behavior (i.e. solution)
Attributes should not be locked to a specific order to structure or validate. Confirmed when using xmllint, that the structure validates, which means it is the rules set that requires the specific format.
Other comments
No response
Revisions
No response
The text was updated successfully, but these errors were encountered: