aj-stein-gsa
commented
2 weeks ago Thank you, this is a very useful bug report. We will track this down soon. More updates to follow.
/cc @david-waltermire
Open Telos-sa opened 2 weeks ago
aj-stein-gsa
commented
2 weeks ago Thank you, this is a very useful bug report. We will track this down soon. More updates to follow.
/cc @david-waltermire
aj-stein-gsa
commented
2 weeks ago @Telos-sa, can you please provide the following specifically:
oscal-cli --version in full?--disable-schema-validation at the end?Thanks in advance for your continued reports, we appreciate it.
Telos-sa
commented
2 weeks ago oscal-cli --version
oscal-cli 2.2.0 built at 2024-10-08 23:48 from branch 0b9478792d27837a8967cc72a0c98776b24f7102 (0b94787) at https://github.com/metaschema-framework/oscal-cli
liboscal-java built at 2024-10-08 22:12 from branch 0e7de882592dedef37a1fc30101393e6c4fe71f3 (0e7de88) at https://github.com/metaschema-framework/liboscal-java
oscal v1.1.2 built at 2024-10-08 22:12 from branch 4f02dac6f698efda387cc5f55bc99581eaf494b6 (4f02dac) at https://github.com/usnistgov/OSCAL.git
metaschema-java 1.2.0 built at 2024-10-08T20:00:42+0000 from branch 46df8d8fc25c5de1d7cb0485e534f31efe61b2b7 (46df8d8) at https://github.com/metaschema-framework/metaschema-java
metaschema built at 2024-10-08T20:00:42+0000 from branch 7c03ce5844e46cf9d047193a37e44422ae6a7d61 (7c03ce5) at https://github.com/metaschema-framework/metaschema.git@aj-stein-gsa What argument did you want to see output of with --disable-schema-validation? The --version output? or the stack trace output?
aj-stein-gsa
commented
2 weeks ago @aj-stein-gsa What argument did you want to see output of with --disable-schema-validation? The --version output? or the stack trace output?
Can you please re-run the command that led to this stack track with the correct file like so oscal-cli validate ... --disable-schema-validation.
And to make sure I am on the same page, can you please update the full command showing that failed validation command, with or without --disable-schema-validation? Thank you!
Telos-sa
commented
2 weeks ago here it is with the command
oscal-cli ssp validate FedRAMP\ SSP\ -\ 24.03\ \(2024-10-17T165358Z\).json --show-stack-trace --disable-schema-validation
This command path is deprecated. Please use 'validate'.
Validating 'file:///Users/13994/Desktop/SA%20Git/xacta360-xde-oscal-schema-export/FedRAMP%20SSP%20-%2024.03%20(2024-10-17T165358Z).json' as JSON.
An uncaught runtime error occurred. null
java.lang.NullPointerException: null
at gov.nist.secauto.metaschema.core.util.ObjectUtils.requireNonNull(ObjectUtils.java:53) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.databind.model.IBoundDefinitionModelFieldComplex.getFieldValue(IBoundDefinitionModelFieldComplex.java:77) ~[dev.metaschema.java.metaschema-databind-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.FieldInstanceNodeItemImpl.getAtomicValue(FieldInstanceNodeItemImpl.java:68) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.IFeatureAtomicValuedItem.newAtomicItem(IFeatureAtomicValuedItem.java:22) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at nl.talsmasoftware.lazy4j.Lazy.forceEagerEvaluation(Lazy.java:85) ~[nl.talsmasoftware.lazy4j-2.0.0.jar:?]
at nl.talsmasoftware.lazy4j.Lazy.get(Lazy.java:101) ~[nl.talsmasoftware.lazy4j-2.0.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.FieldInstanceNodeItemImpl.toAtomicItem(FieldInstanceNodeItemImpl.java:73) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.function.library.FnData.fnDataItem(FnData.java:127) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator.validateMatchesItem(DefaultConstraintValidator.java:526) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator.lambda$validateMatches$2(DefaultConstraintValidator.java:517) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183) ~[?:?]
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195) ~[?:?]
at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:177) ~[?:?]
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195) ~[?:?]
at java.base/java.util.stream.Streams$StreamBuilderImpl.forEachRemaining(Streams.java:411) ~[?:?]
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150) ~[?:?]
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173) ~[?:?]
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502) ~[?:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator.validateMatches(DefaultConstraintValidator.java:514) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator.validateMatches(DefaultConstraintValidator.java:489) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator.validateField(DefaultConstraintValidator.java:188) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitField(DefaultConstraintValidator.java:937) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitField(DefaultConstraintValidator.java:887) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.IFieldNodeItem.accept(IFieldNodeItem.java:41) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.AbstractNodeItemVisitor.visitModelChildren(AbstractNodeItemVisitor.java:73) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.AbstractNodeItemVisitor.visitAssembly(AbstractNodeItemVisitor.java:173) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitAssembly(DefaultConstraintValidator.java:951) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitAssembly(DefaultConstraintValidator.java:887) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.IAssemblyNodeItem.accept(IAssemblyNodeItem.java:38) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.AbstractNodeItemVisitor.visitModelChildren(AbstractNodeItemVisitor.java:73) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.AbstractNodeItemVisitor.visitAssembly(AbstractNodeItemVisitor.java:173) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitAssembly(DefaultConstraintValidator.java:951) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitAssembly(DefaultConstraintValidator.java:887) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.IAssemblyNodeItem.accept(IAssemblyNodeItem.java:38) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.AbstractNodeItemVisitor.visitModelChildren(AbstractNodeItemVisitor.java:73) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.AbstractNodeItemVisitor.visitAssembly(AbstractNodeItemVisitor.java:173) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitAssembly(DefaultConstraintValidator.java:951) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitAssembly(DefaultConstraintValidator.java:887) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.IAssemblyNodeItem.accept(IAssemblyNodeItem.java:38) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.AbstractNodeItemVisitor.visitModelChildren(AbstractNodeItemVisitor.java:73) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.AbstractNodeItemVisitor.visitAssembly(AbstractNodeItemVisitor.java:173) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitAssembly(DefaultConstraintValidator.java:951) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator$Visitor.visitAssembly(DefaultConstraintValidator.java:887) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.metapath.item.node.IAssemblyNodeItem.accept(IAssemblyNodeItem.java:38) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.core.model.constraint.DefaultConstraintValidator.validate(DefaultConstraintValidator.java:142) ~[dev.metaschema.java.metaschema-core-1.2.0.jar:?]
at gov.nist.secauto.metaschema.databind.IBindingContext.validate(IBindingContext.java:360) ~[dev.metaschema.java.metaschema-databind-1.2.0.jar:?]
at gov.nist.secauto.metaschema.databind.IBindingContext.validate(IBindingContext.java:332) ~[dev.metaschema.java.metaschema-databind-1.2.0.jar:?]
at gov.nist.secauto.metaschema.databind.IBindingContext.validateWithConstraints(IBindingContext.java:416) ~[dev.metaschema.java.metaschema-databind-1.2.0.jar:?]
at gov.nist.secauto.metaschema.cli.commands.AbstractValidateContentCommand$AbstractValidationCommandExecutor.execute(AbstractValidateContentCommand.java:289) ~[dev.metaschema.java.metaschema-cli-1.2.0.jar:?]
at gov.nist.secauto.oscal.tools.cli.core.commands.oscal.AbstractDeprecatedOscalValidationSubcommand$DeprecatedOscalCommandExecutor.execute(AbstractDeprecatedOscalValidationSubcommand.java:41) ~[dev.metaschema.oscal.oscal-cli-enhanced-2.2.0.jar:?]
at gov.nist.secauto.metaschema.cli.processor.CLIProcessor$CallingContext.invokeCommand(CLIProcessor.java:405) ~[dev.metaschema.java.cli-processor-1.2.0.jar:?]
at gov.nist.secauto.metaschema.cli.processor.CLIProcessor$CallingContext.processCommand(CLIProcessor.java:376) [dev.metaschema.java.cli-processor-1.2.0.jar:?]
at gov.nist.secauto.metaschema.cli.processor.CLIProcessor.parseCommand(CLIProcessor.java:175) [dev.metaschema.java.cli-processor-1.2.0.jar:?]
at gov.nist.secauto.metaschema.cli.processor.CLIProcessor.process(CLIProcessor.java:158) [dev.metaschema.java.cli-processor-1.2.0.jar:?]
at gov.nist.secauto.oscal.tools.cli.core.CLI.runCli(CLI.java:69) [dev.metaschema.oscal.oscal-cli-enhanced-2.2.0.jar:?]
at gov.nist.secauto.oscal.tools.cli.core.CLI.main(CLI.java:39) [dev.metaschema.oscal.oscal-cli-enhanced-2.2.0.jar:?]Thanks for this report. Per review after today's discussion, there is a bug in the NIST documentation (reported in https://github.com/usnistgov/OSCAL-Reference/issues/42) and a need to add more precise error message about how the necessary element in JSON is missing and gracefully handling that error condition, not presenting a NPE with stack trace without further detail. The metaschema-framework maintainers are tracking that in https://github.com/metaschema-framework/metaschema-java/issues/205. Once these upstream issues are resovled, I can mark this issue downstream here as resolved. For the time being, I will mark it as blocked.
aj-stein-gsa
commented
5 hours ago For @aj-stein-gsa need to revisit the output and confirm improved error handling in 2.3.0 or newer release of oscal-cli.
This is a ...
improvement - something could be better
This relates to ...
User Story
When validating an OSCAL SSP using the enhanced oscal-cli (v2.2.0), if there is no 'value' element provided in an 'hashes' object then a runtime error occurs:
Example rlinks>hashes structure causing the runtime error:
Runtime error with stack trace:
This is only an issue with the enhanced oscal-cli (I used v2.2.0). This doesn't occur with the base oscal-cli from NIST (v1.0.3). Here is the error message output when using the base oscal-cli (v1.0.3):
Goals
Modify enhanced oscal-cli validation to yield an error message for missing hashes>value rather than causing a runtime error.
Dependencies
No response
Acceptance Criteria
Other information
No response