search

usnistgov / oscal-cli

A simple open source command line tool to support common operations over OSCAL content.
Other
41 stars 18 forks source link

An uncaught runtime error occured. custom structuring #250

Open kent-sil opened 4 months ago

kent-sil commented 4 months ago

running the oscal-cli profile resolve command on a validated profile, responds with the error: "An uncaught runtime error occured. custom structuring". I am using the Merge -- Custom directive.

code snippet:

  <imports>
    <href>control-catalog-link</href>
    <include-controls>
      <with-ids>ctl_1.1</with-ids>
      <with-ids>ctl_1.2</with-ids>
      <with-ids>ctl_1.3</with-ids>
      <with-ids>ctl_1.4</with-ids>
    </include-controls>
  </imports>
  <merge>
    <custom>
      <groups>
        <id>grp_1</id>
        <class>control-group</class>
        <title>Reporting Controls</title>
        <groups>
          <id>ctl_1.1</id>
          <title>Reports</title>
          <class>control</class>
          <insert-controls>
            <include-controls>
              <with-ids>ctl_1.1</with-ids>
              <with-ids>ctl_1.2</with-ids>
            </include-controls>
          </insert-controls>
        </groups>
      </groups>
      <insert-controls>
        <include-controls>
          <with-ids>ctl_1.1</with-ids>
          <with-ids>ctl_1.2</with-ids>
        </include-controls>
      </insert-controls>
    </custom>
  </merge>

--show-stack-trace shows the following:

java.lang.UnsupportedOperationException: custom structuring
        at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.handleMerge(ProfileResolver.java:450) ~[gov.nist.secauto.oscal.liboscal-java-3.0.1.jar:?]
        at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolveProfile(ProfileResolver.java:205) ~[gov.nist.secauto.oscal.liboscal-java-3.0.1.jar:?]
        at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:234) ~[gov.nist.secauto.oscal.liboscal-java-3.0.1.jar:?]
        at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:219) ~[gov.nist.secauto.oscal.liboscal-java-3.0.1.jar:?]
        at gov.nist.secauto.oscal.tools.cli.core.commands.profile.ResolveSubcommand.executeCommand(ResolveSubcommand.java:287) ~[gov.nist.secauto.oscal.tools.oscal-cli.cli-core-1.0.1.jar:?]
        at gov.nist.secauto.metaschema.cli.processor.command.ICommandExecutor$1.execute(ICommandExecutor.java:48) ~[gov.nist.secauto.metaschema.cli-processor-0.12.1.jar:?]
        at gov.nist.secauto.metaschema.cli.processor.CLIProcessor$CallingContext.invokeCommand(CLIProcessor.java:403) ~[gov.nist.secauto.metaschema.cli-processor-0.12.1.jar:?]
        at gov.nist.secauto.metaschema.cli.processor.CLIProcessor$CallingContext.processCommand(CLIProcessor.java:374) [gov.nist.secauto.metaschema.cli-processor-0.12.1.jar:?]
        at gov.nist.secauto.metaschema.cli.processor.CLIProcessor.parseCommand(CLIProcessor.java:192) [gov.nist.secauto.metaschema.cli-processor-0.12.1.jar:?]
        at gov.nist.secauto.metaschema.cli.processor.CLIProcessor.process(CLIProcessor.java:176) [gov.nist.secauto.metaschema.cli-processor-0.12.1.jar:?]
        at gov.nist.secauto.oscal.tools.cli.core.CLI.runCli(CLI.java:78) [gov.nist.secauto.oscal.tools.oscal-cli.cli-core-1.0.1.jar:?]
        at gov.nist.secauto.oscal.tools.cli.core.CLI.main(CLI.java:55) [gov.nist.secauto.oscal.tools.oscal-cli.cli-core-1.0.1.jar:?]

Please assist.

kent-sil commented 4 months ago

Sorry. XML didn't post correctly. Here is a JSON snippet: 

   "imports": [
      {
        "href": "link-to-catalog-file",
        "include-controls": [
          {
            "with-ids": [
              "ctl_1.1",
              "ctl_1.2",
              "ctl_1.3",
              "ctl_1.4"
            ]
          }
        ]
      }
    ],
    "merge": {
      "custom": {
          "groups": [{
                "id": "grp_1",
                "class": "control-group",
                "title": "Group 1 controls",
                "groups": [{
                    "id": "gp_1",
                    "title": "Reports",
                    "class": "control",
                    "insert-controls": [{
                        "include-controls": [{
                            "with-ids": [
                                "ctl_1.1",
                                "ctl_1.2"
                            ]
                        }]
                    }]
                }]  
            }],     
            "insert-controls": [{
                "include-controls": [{
                    "with-ids": [
                        "ctl_1.1",
                        "ctl_1.2"
                    ]
                }]
            }]
        }
    }
aj-stein-nist commented 4 months ago

Hi @kent-sil, thanks for your bug report. I will examine the sample catalog and profile, but I did not think liboscal-java (and by virtue of it), support custom. Looking at the code, it does not. The default resolver provided does not implement it. EDIT: I had previously written about this functionality based on a misunderstanding. I misinterpreted the names intentions: it is more like customization (of groups and other items). It is not currently supported but we can support it if we prioritize this development effort.

If you would like assistance, can you provide an example of the desired resolved catalog and I can tell you how to use one of the supported merging strategies before closing this issue? It may be possible but I need to see the desired goal catalog, not just the source catalog and profile.

kent-sil commented 4 months ago

This was actually a test to import and group a few controls from one catalog. The ultimate goal is to import from multiple catalogs and create groupings of like controls. However, since I received the error with only 1 catalog, the expected output from the above would be something similar to:

    "groups": [{
        "id": "group_1",
        "class": "control-group",
        "title": "Business controls",
        "controls": [{
            "id": "ctl_1.1",
            "class": "control-1",
            "title": "Control 1",
            "parts": [{
                "id": "stmt_1.1",
                "name": "statement",
                "prose": "prose for group 1"
            }]
        },
        {
            "id": "ctl_1.3",
            "class": "control",
            "title": "Control 3",
            "props": [{
                "name": "label",
                "value": "1.3"
            }],
            "parts": [{
                "id": "stmt_1.3",
                "name": "statement",
                "prose": "prose for control 3"
            }]
        }
    },
    {
        "id": "group_2",
        "class": "control-group",
        "title": "control group 2",
        "controls": [{
            "id": "ctl_2",
            "class": "control-2",
            "title": "Control 2",
            "parts": [{
                "id": "stmt_1.2",
                "name": "statement",
                "prose": "prose for control 2"
            }]
        },
        {
            "id": "ctl_1.4",
            "class": "control",
            "title": "control-4",
            "props": [{
                "name": "label",
                "value": "1.4"
            }],
            "parts": [{
                "id": "stmt_1.4",
                "name": "statement",
                "prose": "prose for control 4"
            }]
        }
    }]          
}]
aj-stein-nist commented 4 months ago

OK well this is possible to implement it is not currently supported. I am going to open a cross-posted issue to the core library that the CLI calls into to implement it in future work and you should be able to use custom then. I understand if you re using groups from multiple pre-existing catalogs it is not so easy to use the other strategies (from experience and summary). Thanks for your updates.