Classes based on OSCAL schema do not enforce well-formed OSCAL content

oscal-compass / compliance-trestle

An opinionated tooling platform for managing compliance as code, using continuous integration and NIST's OSCAL standard.

https://oscal-compass.github.io/compliance-trestle

Apache License 2.0

162 stars 62 forks source link

Classes based on OSCAL schema do not enforce well-formed OSCAL content #1630

Open jpower432 opened 3 months ago

jpower432 commented 3 months ago

Describe the bug

The csv_to_oscal_cd task produces an component definition that is not well-formed when a profile is specified for a rule with no mapped controls. This issue is meant to capture the root cause of this issue which is that the classes represents the OSCAL schema do not enforce this.

To Reproduce

Steps to reproduce the behavior:

See #1606 for reproduction steps

Expected behavior

Failure relating to the invalid OSCAL Model Object

Screenshots / Logs.

Related to #1606

Environment

OS: [e.g. iOS]
Python version:
Installed packages:

jpower432 commented 3 months ago

@degenaro Please add additional information as necessary

degenaro commented 3 months ago

The issue here is that the datamodel-codegen process assisted generation of Python classes seemingly does not produce constraints that insure, in the cited issue #1606 for example, that when an array is specified it must have at least one element. Resolving this issue will likely involve understanding how to detect such situations in the OSCAL model and producing the annotation in the generated code accordingly. This may be a datamodel-codegen problem. Even so, a work-around in the trestle domain to the extent reasonably achievable may be warranted.