Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Profile resolution with catalog with ungrouped controls throws exception #200

Open
aj-stein-nist opened this issue Oct 26, 2023 · 1 comment
Open

Profile resolution with catalog with ungrouped controls throws exception #200

aj-stein-nist opened this issue Oct 26, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@aj-stein-nist
Copy link
Collaborator

Describe the bug

While writing tests for usnistgov/oscal-cli#178, I have been unable to resolve a profile with a catalog with a "flat" catalog that has only two controls. This is using a development version using liboscal-java v3.0.2 as a dependency.

Catalog that throws stack trace:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.1/oscal_complete_schema.xsd" type="application/xml" schematypens="http://www.w3.org/2001/XMLSchema"?>
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="1296032c-f0a7-4e00-84f0-c09b9b1c81b5">
    <metadata>
        <title>Valid OSCAL Document</title>
        <last-modified>2023-10-24T00:00:00.000000-00:00</last-modified>
        <version>1.0</version>
        <oscal-version>1.1.1</oscal-version>
        <role id="maintainer">
            <title>Maintainer of oscal-cli</title>
        </role>
        <party uuid="4ba3f2b7-e894-48d7-b940-91c68661df55" type="person">
            <name>NIST ITL CSD Developer</name>
        </party>
        <responsible-party role-id="maintainer">
            <party-uuid>4ba3f2b7-e894-48d7-b940-91c68661df55</party-uuid>
        </responsible-party>
    </metadata>
    <group id="eg1">
        <title>Example Group 1</title>
        <control id="control-1">
            <title>Control 1</title>
            <part name="statement">
                <p>This statement is a requirement for Control 1.</p>
            </part>
        </control>
        <control id="control-2">
            <title>Control 2</title>
            <part name="statement">
                <p>This statement is a requirement for Control 2.</p>
            </part>
        </control>
    </group>
</catalog>

Catalog that does not throw stack trace:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.1/oscal_complete_schema.xsd" type="application/xml" schematypens="http://www.w3.org/2001/XMLSchema"?>
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="1296032c-f0a7-4e00-84f0-c09b9b1c81b5">
    <metadata>
        <title>Valid OSCAL Document</title>
        <last-modified>2023-10-24T00:00:00.000000-00:00</last-modified>
        <version>1.0</version>
        <oscal-version>1.1.1</oscal-version>
        <role id="maintainer">
            <title>Maintainer of oscal-cli</title>
        </role>
        <party uuid="4ba3f2b7-e894-48d7-b940-91c68661df55" type="person">
            <name>NIST ITL CSD Developer</name>
        </party>
        <responsible-party role-id="maintainer">
            <party-uuid>4ba3f2b7-e894-48d7-b940-91c68661df55</party-uuid>
        </responsible-party>
    </metadata>
    <group id="eg1">
        <title>Example Group 1</title>
        <control id="control-1">
            <title>Control 1</title>
            <part name="statement">
                <p>This statement is a requirement for Control 1.</p>
            </part>
        </control>
        <control id="control-2">
            <title>Control 2</title>
            <part name="statement">
                <p>This statement is a requirement for Control 2.</p>
            </part>
        </control>
    </group>
</catalog>

Profile:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.1/oscal_complete_schema.xsd" type="application/xml" schematypens="http://www.w3.org/2001/XMLSchema"?>
<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="46a67f43-6dd0-4231-b7d0-28e900fcbbe0">
    <metadata>
        <title>Valid OSCAL Document</title>
        <last-modified>2023-10-24T00:00:00.000000-00:00</last-modified>
        <version>1.0</version>
        <oscal-version>1.1.1</oscal-version>
        <role id="maintainer">
            <title>Maintainer of oscal-cli</title>
        </role>
        <party uuid="4ba3f2b7-e894-48d7-b940-91c68661df55" type="person">
            <name>NIST ITL CSD Developer</name>
        </party>
        <responsible-party role-id="maintainer">
            <party-uuid>4ba3f2b7-e894-48d7-b940-91c68661df55</party-uuid>
        </responsible-party>
    </metadata>
    <import href="example_catalog_valid.xml">
        <include-controls>
            <with-id>control-1</with-id>
        </include-controls>
    </import>
    <back-matter>
        <resource uuid="1ac08f59-cafa-4a71-a63b-5f4a0f3cf1f2">
            <rlink href="example_catalog_valid.xml"/>
        </resource>
    </back-matter>
</profile>

Stack trace:

java.lang.AssertionError
 at gov.nist.secauto.oscal.lib.profile.resolver.merge.FlatteningStructuringVisitor.visitControl(FlatteningStructuringVisitor.java:121)
 at gov.nist.secauto.oscal.lib.profile.resolver.merge.FlatteningStructuringVisitor.visitControl(FlatteningStructuringVisitor.java:55)
 at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitControlInternal(AbstractCatalogEntityVisitor.java:168)
 at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitControlItem(AbstractCatalogVisitor.java:145)
 at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.lambda$visitControlContainer$2(AbstractCatalogVisitor.java:127)
 at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
 at java.base/java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720)
 at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
 at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
 at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
 at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
 at java.base/java.util.stream.ReferencePipeline.reduce(ReferencePipeline.java:553)
 at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitControlContainer(AbstractCatalogVisitor.java:129)
 at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitControlContainer(AbstractCatalogEntityVisitor.java:122)
 at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitGroupContainer(AbstractCatalogVisitor.java:73)
 at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitGroupContainer(AbstractCatalogEntityVisitor.java:110)
 at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitCatalog(AbstractCatalogVisitor.java:50)
 at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitCatalog(AbstractCatalogEntityVisitor.java:96)
 at gov.nist.secauto.oscal.lib.profile.resolver.merge.FlatteningStructuringVisitor.visitCatalog(FlatteningStructuringVisitor.java:84)
 at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.structureFlat(ProfileResolver.java:489)
 at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.handleMerge(ProfileResolver.java:453)
 at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolveProfile(ProfileResolver.java:205)
 at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:234)
 at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:219)
 at gov.nist.secauto.oscal.tools.cli.core.commands.profile.ResolveSubcommand.executeCommand(ResolveSubcommand.java:287)
 at gov.nist.secauto.metaschema.cli.processor.command.ICommandExecutor$1.execute(ICommandExecutor.java:48)
 at gov.nist.secauto.metaschema.cli.processor.CLIProcessor$CallingContext.invokeCommand(CLIProcessor.java:403)
 at gov.nist.secauto.metaschema.cli.processor.CLIProcessor$CallingContext.processCommand(CLIProcessor.java:374)
 at gov.nist.secauto.metaschema.cli.processor.CLIProcessor.parseCommand(CLIProcessor.java:192)
 at gov.nist.secauto.metaschema.cli.processor.CLIProcessor.process(CLIProcessor.java:176)
 at gov.nist.secauto.oscal.tools.cli.core.CLI.runCli(CLI.java:78)
 at gov.nist.secauto.oscal.tools.cli.core.CLITest.testResolveSubCommandValidFile(CLITest.java:127)
 at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
 at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)

Who is the bug affecting?

  1. Developers writing software with liboscal-java or engineers using software based on liboscal-java, such as oscal-cli.

What is affected by this bug?

Profile resolution with catalogs that do not have groups.

When does this occur?

Consistently.

How do we replicate the issue?

Review the examples or use the integration tests in in the 178-add-integration-tests branch.

See the above stack trace for further details.

Expected behavior (i.e. solution)

The catalog resolves correctly if it does not have groups.

Other Comments

N/A
@aj-stein-nist aj-stein-nist added the bug Something isn't working label Oct 26, 2023
@aj-stein-nist
Copy link
Collaborator Author

So it appears the assertion that a control lookup in the index during flattening is the cause of the exception. When stepping through with a debugger, the control in question is control-2 because it is not included from the profile and dropped, so it is not included within the index.

@aj-stein-nist aj-stein-nist moved this from Needs Triage to Further Analysis Needed in NIST OSCAL Work Board Oct 26, 2023
@aj-stein-nist aj-stein-nist moved this from Further Analysis Needed to Todo in NIST OSCAL Work Board Oct 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
NIST OSCAL Work Board
Status: Todo
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

200-resolution-ungrouped-control-exception usnistgov/liboscal-java
1 participant
@aj-stein-nist