Profile resolution incorrectly maps the oscal-version from the version on the source profile

[david-waltermire]

Describe the bug

Profile resolution incorrectly maps the oscal-version from the version on the source profile.

Who is the bug affecting?

Users using the profile resolution functionality.

What is affected by this bug?

Provides incorrect profile resolution output.
Resolving the following:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="../example-checkup.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
<!-- Modified by conversion XSLT 2021-04-05T11:22:07.701-04:00 - RC2 OSCAL becomes RC3 OSCAL -->
<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
         uuid="cb1ec926-3441-458f-8cce-ea11308c9d37">
   <metadata>
      <title>Test Profile</title>
      <last-modified>2020-05-30T14:39:35.84-04:00</last-modified>
      <version>2.3.4</version>
      <oscal-version>1.0.3</oscal-version>
   </metadata>
   <import href="catalogs/abc-simple_catalog.xml">
      <include-controls with-child-controls="yes">
         <with-id>a1</with-id>
         <with-id>b1</with-id>
         <with-id>c1</with-id>
         <with-id>c3</with-id>
      </include-controls>
   </import>
</profile>

Will result in:

<?xml version='1.0' encoding='UTF-8'?>
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="bd50d038-64e2-49ef-9524-c8172d77cbaf">
  <metadata>
    <title>Test Profile</title>
    <last-modified>2022-05-10T10:47:25.3088315Z</last-modified>
    <version>2.3.4</version>
    <oscal-version>2.3.4</oscal-version>
    <prop name="resolution-tool" value="libOSCAL-Java"/>
    <link href="file:/******/liboscal-java/oscal/src/specifications/profile-resolution/profile-resolution-examples/base-test_profile.xml" rel="source-profile"/>
  </metadata>
  <control id="a1">
    <title>Control A1</title>
    <prop name="label" value="first"/>
    <part id="a1-stmt" name="statement">
      <p>A1 aaaaa aaaaaaaaaa</p>
    </part>
  </control>
  <control id="b1">
    <title>Control B1</title>
    <prop name="label" value="fourth"/>
    <part id="b1-stmt" name="statement">
      <p>B1 bbbb bbbbbbb.</p>
    </part>
  </control>
  <control id="c1">
    <title>Control C1</title>
    <prop name="label" value="seventh"/>
    <part id="c1-stmt" name="statement">
      <p>C1 ccccc ccc ccccccccccccccccc.</p>
    </part>
  </control>
  <control id="c3">
    <title>Control C3</title>
    <prop name="label" value="ninth"/>
    <part id="c3-stmt" name="statement">
      <p>C3 ccccc cccccccccccccc.</p>
    </part>
  </control>
  <control id="c3.a">
    <title>Control C3-A</title>
    <prop name="label" value="tenth"/>
    <part id="c3-stmt" name="statement">
      <p>C3 A ccccc cccccccccccccc.</p>
    </part>
  </control>
  <control id="c3.a-1">
    <title>Control C3-A-1</title>
    <prop name="label" value="eleventh"/>
    <part id="c3-stmt" name="statement">
      <p>C3 A-1 ccccc cccccccccccccc.</p>
    </part>
  </control>
</catalog>

When does this occur?

On profile resolution.

How do we replicate the issue?

Add the below (Illustrative only) test to ProfileResolutionTests.

@Test  
void testOscalVersion() throws IllegalStateException, IOException, BindingException, SaxonApiException {  
  String injectedOscalVersion = "1.0.3";  
  String profileLocation = String.format("%s/%s_profile.xml", PROFILE_PATH, "base-test");  
  File profileFile = new File(profileLocation);  
  Profile profile = OscalBindingContext.instance().loadProfile(profileFile);  
  profile.getMetadata().setOscalVersion(injectedOscalVersion);  
  ProfileResolver.ResolutionData data  
          = new ProfileResolver.ResolutionData(profile, ObjectUtils.notNull(profileFile.toURI()), new Stack<>());  
  getProfileResolver().resolve(data);  
  Catalog actual = data.getCatalog();  
  Assertions.assertThat(actual.getMetadata().getOscalVersion()).isEqualTo(injectedOscalVersion);  
}

Expected behavior (i.e. solution)

See Assertions above.

Other Comments

None