Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper handling of group links during profile resolution #65

Closed
david-waltermire opened this issue Aug 29, 2022 · 6 comments · Fixed by #69 or #85
Closed

Improper handling of group links during profile resolution #65

david-waltermire opened this issue Aug 29, 2022 · 6 comments · Fixed by #69 or #85
Assignees
@david-waltermire
Labels
bug Something isn't working
Milestone
v2.0.0 Release

Comments

@david-waltermire
Copy link
Collaborator

Describe the bug

When using a profile, such as the ARS moderate profile, oscal-cli produces the following errors.

the anchor should reference a resource, control, group, or part identified by 'ir', but the identifier was not found in the index.
the anchor should reference a resource, control, group, or part identified by 'pe', but the identifier was not found in the index.
the anchor should reference a resource, control, group, or part identified by 'mp', but the identifier was not found in the index.

This is due to the three references (in <a> elements) in the catalog which target group elements. The groups are removed since the structuring directive flat is used.

Who is the bug affecting?

Users of the oscal-cli tool and this library performing profile resolution.

What is affected by this bug?

Any profile using the flat structuring directive with a group reference.

When does this occur?

See above.

How do we replicate the issue?

See above.

Expected behavior (i.e. solution)

Links to groups should be resolved to absolute URLs pointing to the original catalog, replacing the current links.

Other Comments

None.
@david-waltermire david-waltermire added the bug Something isn't working label Aug 29, 2022
@GaryGapinski GaryGapinski mentioned this issue Sep 1, 2022
Merged
@GaryGapinski
Copy link

Added explicit /profile/merge/as-is in CMSgov/ars-machine-readable@6b1c4d2 but problem persists (resolved catalog lacks control groups).

david-waltermire added a commit to david-waltermire/liboscal-java that referenced this issue Sep 8, 2022
@david-waltermire
Refactored the visitors used to process catalogs and profiles during …
ec75554 
…profile resolution to improve performance.

- The current solution now reuses the index reducing the need to walk the document multiple times.
- The index code has been simplified to reduce a significant amount of redundant method calls.
- The various visitors now use a common set of base implementation classes making maintenance easier.
Added support for property name="keep" in the reference handler.
Fixed reference handling for orphaned groups during flat structuring. Resolves usnistgov#65.
@david-waltermire david-waltermire mentioned this issue Sep 8, 2022
Merged
8 tasks
@david-waltermire david-waltermire linked a pull request Sep 9, 2022 that will close this issue
Improved profile resolution visitors #69
Merged
8 tasks
david-waltermire added a commit to david-waltermire/liboscal-java that referenced this issue Sep 9, 2022
@david-waltermire
Refactored the visitors used to process catalogs and profiles during …
c78c296 
…profile resolution to improve performance.

- The current solution now reuses the index reducing the need to walk the document multiple times.
- The index code has been simplified to reduce a significant amount of redundant method calls.
- The various visitors now use a common set of base implementation classes making maintenance easier.
Added support for property name="keep" in the reference handler.
Fixed reference handling for orphaned groups during flat structuring. Resolves usnistgov#65.
david-waltermire added a commit that referenced this issue Sep 9, 2022
@david-waltermire
Improved profile resolution visitors (#69)
d5fd430 
* Refactored the visitors used to process catalogs and profiles during profile resolution to improve performance.
- The current solution now reuses the index reducing the need to walk the document multiple times.
- The index code has been simplified to reduce a significant amount of redundant method calls.
- The various visitors now use a common set of base implementation classes making maintenance easier.
Added support for property name="keep" in the reference handler.
Fixed reference handling for orphaned groups during flat structuring. Resolves #65.
* Fixed compile, Checkstyle, PMD, and Spotbugs errors.
* Updated to latest OSCAL to get test content fixes.
@david-waltermire david-waltermire self-assigned this Sep 9, 2022
@david-waltermire david-waltermire added this to the v1.0.5 Release milestone Sep 9, 2022
@david-waltermire
Copy link
Collaborator Author

@GaryGapinski and @openprivacy Try the following build. According to my unit tests, I believe this issue is fixed.

cli-core-0.2.1-SNAPSHOT-oscal-cli.zip

@openprivacy
Copy link

openprivacy commented Sep 9, 2022
edited
Loading

cli-core-0.2.1-SNAPSHOT fixes the issue (no more warnings) but I was surprised at the number of additional ODPs that popped up (see attachment
diff_ars-5.0-moderate-catalog.txt)
not yet sure if that was to be expected.

edit: adding commands to create above file:

FROM: https://github.com/CMSgov/ars-machine-readable/tree/main/ODP-extract

../2.0/oscal-cli profile resolve -t json ars-5.0-moderate-profile.xml ars-5.0-moderate-catalog.json
../2.1/oscal-cli profile resolve -t json ars-5.0-moderate-profile.xml ars-5.0-moderate-catalog2.json
diff ars-5.0-moderate-catalog.json ars-5.0-moderate-catalog2.json > diff_ars-5.0-moderate-catalog.txt

@david-waltermire
Copy link
Collaborator Author

@openprivacy The resolver was not processing some nodes previously causing spurious results due to a number of issues which have been corrected in the latest. This could explain why some parameters were previously ignored.

Let me know if you see anything that is out of place.

@GaryGapinski
Copy link

GaryGapinski commented Sep 12, 2022
edited
Loading

I tried that build with this profile and saw no error messages.

gapinski@flexion-mac-C02FCBVSMD6N ODP-extract % alias oscal-cli=/Users/gapinski/tmp/oscal-cli/bin/oscal-cli                                 
gapinski@flexion-mac-C02FCBVSMD6N ODP-extract % oscal-cli --version                                                                         
oscal-cli version 0.2.1-SNAPSHOT built on 2022-09-09 13:59 on commit fc06df7
OSCAL version v1.0.4 on commit c4de2fe

gapinski@flexion-mac-C02FCBVSMD6N ODP-extract % oscal-cli profile resolve ars-5.0-moderate-profile.xml ars-5.0-moderate-profile-resolved.xml

gapinski@flexion-mac-C02FCBVSMD6N ODP-extract %

That profile has

    <merge>
        <as-is/>
    </merge>

The output resolved profile contained no groups. All selected controls (352) and parameter values (568) were present in the resolved profile. Group references were qualified as

<a href="file:/Users/gapinski/Projects/github/GaryGapinski/ars-machine-readable/ODP-extract/ars-5.0-catalog.xml#pe">PE</a>

The input profile contained a xml-model processing instruction. It did not survive the resolution. Neither did test XML comments.

A test xml-model processing instruction <?xml-model ?> (admittedly useless but syntactically valid) provoked

gapinski@flexion-mac-C02FCBVSMD6N ODP-extract % oscal-cli profile resolve ars-5.0-moderate-profile.xml ars-5.0-moderate-profile-resolved.xml
Exception in thread "main" java.lang.NullPointerException
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.generateMetadata(ProfileResolver.java:261)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolveProfile(ProfileResolver.java:201)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:234)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:219)
	at gov.nist.secauto.oscal.tools.cli.core.commands.profile.ResolveSubcommand.executeCommand(ResolveSubcommand.java:249)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.invokeCommand(CLIProcessor.java:258)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.processCommand(CLIProcessor.java:204)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.parseCommand(CLIProcessor.java:139)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.process(CLIProcessor.java:123)
	at gov.nist.secauto.oscal.tools.cli.core.CLI.parse(CLI.java:62)
	at gov.nist.secauto.oscal.tools.cli.core.CLI.main(CLI.java:45)
gapinski@flexion-mac-C02FCBVSMD6N ODP-extract %

A test xml-stylesheet processing instruction <?xml-stylesheet type="text/xsl" href="style.xsl"?> also provoked an identical exception:

gapinski@flexion-mac-C02FCBVSMD6N ODP-extract % oscal-cli profile resolve ars-5.0-moderate-profile.xml ars-5.0-moderate-profile-resolved.xml
Exception in thread "main" java.lang.NullPointerException
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.generateMetadata(ProfileResolver.java:261)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolveProfile(ProfileResolver.java:201)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:234)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:219)
	at gov.nist.secauto.oscal.tools.cli.core.commands.profile.ResolveSubcommand.executeCommand(ResolveSubcommand.java:249)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.invokeCommand(CLIProcessor.java:258)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.processCommand(CLIProcessor.java:204)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.parseCommand(CLIProcessor.java:139)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.process(CLIProcessor.java:123)
	at gov.nist.secauto.oscal.tools.cli.core.CLI.parse(CLI.java:62)
	at gov.nist.secauto.oscal.tools.cli.core.CLI.main(CLI.java:45)
gapinski@flexion-mac-C02FCBVSMD6N ODP-extract %

@xee5ch
Copy link

xee5ch commented Sep 14, 2022

I can confirm I was able to recreate the same behavior as reported by @GaryGapinski in #65 (comment) with the snapshot release provided in #65 (comment).

david-waltermire added a commit to david-waltermire/liboscal-java that referenced this issue Oct 27, 2022
@david-waltermire
Refactored the visitors used to process catalogs and profiles during …
96734cf 
…profile resolution to improve performance.

- The current solution now reuses the index reducing the need to walk the document multiple times.
- The index code has been simplified to reduce a significant amount of redundant method calls.
- The various visitors now use a common set of base implementation classes making maintenance easier.
Added support for property name="keep" in the reference handler.
Fixed reference handling for orphaned groups during flat structuring. Resolves usnistgov#65.
@david-waltermire david-waltermire mentioned this issue Oct 27, 2022
Merged
8 tasks
@david-waltermire david-waltermire linked a pull request Oct 27, 2022 that will close this issue
Refactor profile resolution visitors #85
Merged
8 tasks
david-waltermire added a commit that referenced this issue Oct 27, 2022
@david-waltermire
Refactor profile resolution visitors (#85)
d7a71e6 
* Refactored the visitors used to process catalogs and profiles during profile resolution to improve performance.
- The current solution now reuses the index reducing the need to walk the document multiple times.
- The index code has been simplified to reduce a significant amount of redundant method calls.
- The various visitors now use a common set of base implementation classes making maintenance easier.
Added support for property name="keep" in the reference handler.
Fixed reference handling for orphaned groups during flat structuring. Resolves #65.

* Fixed compile, Checkstyle, PMD, and Spotbugs errors.

* Code cleanup.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@david-waltermire david-waltermire

Labels
bug Something isn't working
Projects
NIST OSCAL Work Board
Status: Done
Milestone
v2.0.0 Release
4 participants
@openprivacy @xee5ch @GaryGapinski @david-waltermire