Open Telos-sa opened 1 year ago
@Telos-sa, I'll take a look. Just to confirm, reply with oscal-cli --version
and tell me what version of the CLI and models you're using?
Also, I did not notice this in the OSCAL repository. As this is a report about processing of data instances with the CLI, I will transfer this to the oscal-cli repository. Thanks for your report.
[ec2-user@ip-172-31-4-212 FedRAMP---Major-System-Boundary_OSCAL-export_20230823]$ oscal-cli --version oscal-cli 1.0.1 built at 2023-08-21 14:11 from branch main (6014c6d) at https://github.com/usnistgov/oscal-cli.git liboscal-java v3.0.0 built at 2023-08-16 15:55 from branch 8eb8c5891f63b2540ca121aee32b4c8831ae08d7 (8eb8c58) at https://github.com/usnistgov/liboscal-java oscal v1.0.5 built at 2023-08-16 15:55 from branch d19aedf7d0e0fba3b780d56c080312379127d7a4 (d19aedf) at https://github.com/usnistgov/OSCAL.git metaschema-java 0.12.1 built at 2023-08-15T20:52:16+0000 from branch cb4b3fb31a1403dcdc5397bc8da07bac6d23cde8 (cb4b3fb) at https://github.com/usnistgov/metaschema-java metaschema v0.9.0 built at 2023-08-15T20:52:16+0000 from branch a36f579e1e30abb2263895242cdbd2cf4bd29513 (a36f579) at https://github.com/usnistgov/metaschema
A little out of step, I cant test on the newest CLI if needed.
So I have looked at this preliminarily and it seems in 1.0.2 (the oscal-version
of the supplied document, thanks for this!) and in 1.1.0 (which is what oscal-cli 1.0.1 implements by virtue of the commit, not tag; I picked up that issue late), this appears to be correct behavior.
The XML/JSON schema constraints are designed to support zero or more prop
s, but super-schema Metaschema-based constraints that the context of this particular implemented-component
element requires the asset-id
prop there. The CLI is working as intended.
That said, this highlights maybe a bug in the docs or some edge cases in the OSCAL schema docs and how they can be rendered. I cannot deny that, especially once I wrote the above paragraph. I will open a related issue today or later in the week.
Here is an example of what we are posting. Tying to figure out what the structure should be: Outline: Component is defined with Type Inventory is defined with Asset-id prop (requirement for FedRAMP) Component is associated to inventory leveraging the "implemented-component" tag
Wouldn't the asset-id for the component tie to the asset-id of the inventory?
Is this what is required: each unique piece of software that is installed on an inventory item must have an asset-id that distinguishes it as an instance of the component.
Didnt the presence of the implemented component do that by default? Attached two images that show the link between software and inventory.
Hey @aj-stein-nist did you get a chance to look at the additional notes? Do we need to have an asset-id within the component when the asset id it tied to the inventory item? Want to confirm where the asset-id prop should be located within the model.
Hi @Telos-sa, re https://github.com/usnistgov/oscal-cli/issues/184#issuecomment-1693891249, it seems there has not been any change to the upstream models. I will try to coordinate that request and open in issue, but until then this issue is blocked. Sorry for the delayed update.
Describe the bug
Getting a cardinality error for implemented component:
[ERROR] [/system-security-plan/system-implementation[1]/inventory-item[1]/implemented-component[1]] The cardinality '0' is below the required minimum '1' for items matching the expression 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'.
Which seems to conflict with the requirement in the model:
Please review, and let us know if we need to adjust. Attached is the SSP to review for evidence:
FedRAMP---Major-System-Boundary_OSCAL-export_20230823.zip
Who is the bug affecting
Resources that associate components with asset inventory.
What is affected by this bug
Tooling & API
How do we replicate this issue
Validate the OSCAL SSP provided using the OSCAL-CLI tool.
Expected behavior (i.e. solution)
Based on the model, there should not be any requirements for this, except to ensure the uuid of the component is included if the implemented-component is included.
Other comments
No response
Revisions
No response