OSCAL-CLI system-implementation/inventory/implemented-component (Cardinality)

usnistgov / oscal-cli

A simple open source command line tool to support common operations over OSCAL content.

Other

41 stars 19 forks source link

OSCAL-CLI system-implementation/inventory/implemented-component (Cardinality) #184

Open Telos-sa opened 1 year ago

Telos-sa commented 1 year ago

Describe the bug

Getting a cardinality error for implemented component:

[ERROR] [/system-security-plan/system-implementation[1]/inventory-item[1]/implemented-component[1]] The cardinality '0' is below the required minimum '1' for items matching the expression 'prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']'.

Which seems to conflict with the requirement in the model:

Please review, and let us know if we need to adjust. Attached is the SSP to review for evidence:

FedRAMP---Major-System-Boundary_OSCAL-export_20230823.zip

Who is the bug affecting

Resources that associate components with asset inventory.

What is affected by this bug

Tooling & API

How do we replicate this issue

Validate the OSCAL SSP provided using the OSCAL-CLI tool.

Expected behavior (i.e. solution)

Based on the model, there should not be any requirements for this, except to ensure the uuid of the component is included if the implemented-component is included.

Other comments

No response

Revisions

No response

aj-stein-nist commented 1 year ago

@Telos-sa, I'll take a look. Just to confirm, reply with oscal-cli --version and tell me what version of the CLI and models you're using?

aj-stein-nist commented 1 year ago

Also, I did not notice this in the OSCAL repository. As this is a report about processing of data instances with the CLI, I will transfer this to the oscal-cli repository. Thanks for your report.

Telos-sa commented 1 year ago

[ec2-user@ip-172-31-4-212 FedRAMP---Major-System-Boundary_OSCAL-export_20230823]$ oscal-cli --version oscal-cli 1.0.1 built at 2023-08-21 14:11 from branch main (6014c6d) at https://github.com/usnistgov/oscal-cli.git liboscal-java v3.0.0 built at 2023-08-16 15:55 from branch 8eb8c5891f63b2540ca121aee32b4c8831ae08d7 (8eb8c58) at https://github.com/usnistgov/liboscal-java oscal v1.0.5 built at 2023-08-16 15:55 from branch d19aedf7d0e0fba3b780d56c080312379127d7a4 (d19aedf) at https://github.com/usnistgov/OSCAL.git metaschema-java 0.12.1 built at 2023-08-15T20:52:16+0000 from branch cb4b3fb31a1403dcdc5397bc8da07bac6d23cde8 (cb4b3fb) at https://github.com/usnistgov/metaschema-java metaschema v0.9.0 built at 2023-08-15T20:52:16+0000 from branch a36f579e1e30abb2263895242cdbd2cf4bd29513 (a36f579) at https://github.com/usnistgov/metaschema

A little out of step, I cant test on the newest CLI if needed.

aj-stein-nist commented 1 year ago

So I have looked at this preliminarily and it seems in 1.0.2 (the oscal-version of the supplied document, thanks for this!) and in 1.1.0 (which is what oscal-cli 1.0.1 implements by virtue of the commit, not tag; I picked up that issue late), this appears to be correct behavior.

https://github.com/usnistgov/OSCAL/blob/v1.0.2/src/metaschema/oscal_implementation-common_metaschema.xml#L514

https://github.com/usnistgov/OSCAL/blob/v1.1.0/src/metaschema/oscal_implementation-common_metaschema.xml#L530

The XML/JSON schema constraints are designed to support zero or more props, but super-schema Metaschema-based constraints that the context of this particular implemented-component element requires the asset-id prop there. The CLI is working as intended.

That said, this highlights maybe a bug in the docs or some edge cases in the OSCAL schema docs and how they can be rendered. I cannot deny that, especially once I wrote the above paragraph. I will open a related issue today or later in the week.

Telos-sa commented 1 year ago

Here is an example of what we are posting. Tying to figure out what the structure should be: Outline: Component is defined with Type Inventory is defined with Asset-id prop (requirement for FedRAMP) Component is associated to inventory leveraging the "implemented-component" tag

Wouldn't the asset-id for the component tie to the asset-id of the inventory?
Is this what is required: each unique piece of software that is installed on an inventory item must have an asset-id that distinguishes it as an instance of the component.

Didnt the presence of the implemented component do that by default? Attached two images that show the link between software and inventory.

Telos-sa commented 1 year ago

Hey @aj-stein-nist did you get a chance to look at the additional notes? Do we need to have an asset-id within the component when the asset id it tied to the inventory item? Want to confirm where the asset-id prop should be located within the model.

Telos-sa commented 1 year ago

FedRAMP---Major-System-Boundary_FedRAMP_SSP.xml.zip

aj-stein-nist commented 7 months ago

Hi @Telos-sa, re https://github.com/usnistgov/oscal-cli/issues/184#issuecomment-1693891249, it seems there has not been any change to the upstream models. I will try to coordinate that request and open in issue, but until then this issue is blocked. Sorry for the delayed update.