search

oscal-compass / compliance-trestle

An opinionated tooling platform for managing compliance as code, using continuous integration and NIST's OSCAL standard.
https://oscal-compass.github.io/compliance-trestle
Apache License 2.0
152 stars 56 forks source link

trestle author ssp-generate does not seem to do the correct thing with `aggregates` parameters #1596

Open rahearn opened 1 week ago

rahearn commented 1 week ago

Describe the bug

For aggregates parameters (such as si-7_prm_1 from https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json) ssp-generate is showing a warning about the parameter has no values and was referenced by prose and the markdown ends up with the label field inserted, rather than the values aggregated from si-07_odp.01, si-07_odp.02, and si-07_odp.03.

To Reproduce

Steps to reproduce the behavior:

  1. Import the following profile: profile.json
  2. Run trestle author ssp-generate -p imported-profile -o markdown
  3. Note the warnings about values
  4. Open the markdown/si-7.md file
  5. See that the content from the various parameters are set in the assessment objective section, but not in the control statement

Expected behavior

I'd expect there to be no warning about missing values, since the individual aggregated parameters are present, and the control statement output to reference the set parameters instead of the generic catalog label.

Environment

AleJo2995 commented 1 week ago

Hi @rahearn . Just wanted to reach out and let you know that I will be looking at this issue and give feedback about it soon. Thanks for reaching out and will contact again soon.