When the OSCAL CLI encounters a runtime error and crashes, it fails to generate the expected SARIF (Static Analysis Results Interchange Format) output file, leaving users without error analysis data.
Who is the bug affecting?
Security engineers, compliance analysts, and developers who use OSCAL CLI for security control assessment automation and need SARIF output for their tooling and analysis pipelines.
What is affected by this bug?
Automated security analysis workflows that depend on SARIF output
Integration with other security tools expecting SARIF format
Error tracking and debugging capabilities
Compliance verification processes
When does this occur?
The issue occurs under the following conditions:
During OSCAL CLI runtime execution
When the CLI encounters an unhandled exception or crashes
Instead of gracefully failing and producing partial SARIF output, the process terminates without generating any output file
Have a constraint with a metapath that causes a runtime error
execute validation
Expected behavior (i.e. solution)
Even when encountering a runtime error, the OSCAL CLI should:
Catch the exception gracefully
Generate a SARIF file containing:
Information about the error that caused the crash
Any validation results collected up to the point of failure
Stack trace or relevant debug information
Exit with an appropriate error code while still preserving output
Other Comments
This impacts the reliability of automated testing pipelines
Consider implementing a try-catch mechanism around the SARIF output generation
Partial SARIF output would be more useful than no output at all
Related to error handling and graceful degradation of the CLI tool
Describe the bug
When the OSCAL CLI encounters a runtime error and crashes, it fails to generate the expected SARIF (Static Analysis Results Interchange Format) output file, leaving users without error analysis data.
Who is the bug affecting?
Security engineers, compliance analysts, and developers who use OSCAL CLI for security control assessment automation and need SARIF output for their tooling and analysis pipelines.
What is affected by this bug?
Automated security analysis workflows that depend on SARIF output Integration with other security tools expecting SARIF format Error tracking and debugging capabilities Compliance verification processes
When does this occur?
The issue occurs under the following conditions:
During OSCAL CLI runtime execution When the CLI encounters an unhandled exception or crashes Instead of gracefully failing and producing partial SARIF output, the process terminates without generating any output file
run unit tests on this branch to reproduce https://github.com/GSA/fedramp-automation/pull/736
How do we replicate the issue?
Have a constraint with a metapath that causes a runtime error execute validation
Expected behavior (i.e. solution)
Even when encountering a runtime error, the OSCAL CLI should:
Catch the exception gracefully Generate a SARIF file containing:
Information about the error that caused the crash Any validation results collected up to the point of failure Stack trace or relevant debug information
Exit with an appropriate error code while still preserving output
Other Comments
This impacts the reliability of automated testing pipelines Consider implementing a try-catch mechanism around the SARIF output generation Partial SARIF output would be more useful than no output at all Related to error handling and graceful degradation of the CLI tool