Describe the bug
Per discussion with @david-waltermire-nist, @iMichaela, and @GaryGapinski with an external stakeholder, it was determined that vanilla NIST OSCAL (in 1.x.y releases) permit a protocol assembly to be defined implemented without a port-range within or any other semantically meaningful detail documented, but is optional. Per discussion with the team, it is advisable to add a warning constraint (or pending further feedback, a schema modification but this would be backwards-compatibility breaking) to inform developers and users the protocol definition will only logically be useful without port ranges.
Who is the bug affecting
Tool authors and security practitioners who want to properly document protocol usage in a SSP component accurately without error and missing meaningful information.
What is affected by this bug
Documentation, Metaschema, Modeling
How do we replicate this issue
- Create an OSCAL
system-security-plan.
- Create a
component in the SSP from 1.
- Create a
<protocol /> within the component from 2.
- Run schema validation or constraints through the Java-based
oscal-cli tool. Observe no warning or other form of output indicating that a protocol without a port-range is missing meaningful port information.
Expected behavior (i.e. solution)
A constraint is implemented to warn the developers or users that the protocol is missing meaningful port range information.
Other comments
No response
Describe the bug
Per discussion with @david-waltermire-nist, @iMichaela, and @GaryGapinski with an external stakeholder, it was determined that vanilla NIST OSCAL (in
1.x.yreleases) permit aprotocolassembly to be defined implemented without aport-rangewithin or any other semantically meaningful detail documented, but is optional. Per discussion with the team, it is advisable to add a warning constraint (or pending further feedback, a schema modification but this would be backwards-compatibility breaking) to inform developers and users the protocol definition will only logically be useful without port ranges.Who is the bug affecting
Tool authors and security practitioners who want to properly document protocol usage in a SSP component accurately without error and missing meaningful information.
What is affected by this bug
Documentation, Metaschema, Modeling
How do we replicate this issue
system-security-plan.componentin the SSP from 1.<protocol />within the component from 2.oscal-clitool. Observe no warning or other form of output indicating that aprotocolwithout aport-rangeis missing meaningful port information.Expected behavior (i.e. solution)
A constraint is implemented to warn the developers or users that the protocol is missing meaningful port range information.
Other comments
No response