CLI Silently Drops Undefined Assembly Instances During Format Conversion #131
Description
Describe the bug
During today's Lunch with Devs, I was asked to follow up and check that I discovered from work on usnistgov/oscal-content#139 prep: if using OSCAL CLI with model definitions that are more current than what it is compiled into this code base, liboscal-java, and metaschema-java, it should through a warning or error message to indicate the conversion appears to be on document instances with an assembly, like action, that doesn't exist in the compiled in versions of the OSCAL models.
Who is the bug affecting?
Developers using oscal-cli to convert between different versions of OSCAL models in feature branches.
What is affected by this bug?
Converting document instances that define new objects with syntax not supported in OSCAL models compiled in, without warning or error.
When does this occur?
Consistently.
How do we replicate the issue?
{What are the steps to reproduce the behavior?
- Download sample OSCAL XML document instance
- Confirm you are running the current release of
oscal-clifor this report,0.2.0 - Convert to JSON
- Convert to YAML
- Observe that the conversion is missing
actionassemblies and executes without warning/error logging
From previous discussion today:
$ /opt/oscal-cli/0.2.0/bin/oscal-cli --version
oscal-cli version 0.2.0 built on 2022-08-22 12:49 on commit c52dcdb
OSCAL version v1.0.4 on commit c4de2fe
$ /opt/oscal-cli/0.2.0/bin/oscal-cli ssp convert --to=json '/mnt/c/Users/userprofile/code/OSCAL/src/metaschema/examples/actOSCAL/src/metaschema/examples/actions-ssp.xml' '/mnt/c/Users/userprofile/code/OSCAL/src/metaschema/examples/actions-ssp.json'
Generated JSON file: /mnt/c/Users/userprofile/code/OSCAL/src/metaschema/examples/actions-ssp.json
$ echo $?
0
$ /opt/oscal-cli/0.2.0/bin/oscal-cli ssp convert --to=yaml '/mnt/c/Users/userprofile/code/OSCAL/src/metaschema/examples/actions-ssp.xml' '/mnt/c/Users/userprofile/code/OSCAL/src/metaschema/examples/actions-ssp.yaml'
Generated YAML file: /mnt/c/Users/userprofile/code/OSCAL/src/metaschema/examples/actions-ssp.yaml
$ echo $?
0
Example SSP in OSCAL XML used:
<?xml version="1.0" encoding="UTF-8"?>
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../../OSCAL/xml/schema/oscal_complete_schema.xsd" uuid="46126f22-0bca-4a16-b6b1-8cb7e1915292">
<metadata>
<title>Example System SSP with Actions</title>
<last-modified>2022-09-02T00:00:00.000000001-04:00</last-modified>
<version>0.0.1-alpha</version>
<oscal-version>1.1.0</oscal-version>
<role id="legal-officer">
<title>IT Security and Compliance Division Legal Officer</title>
<short-name>Counsel</short-name>
</role>
<party uuid="166befca-8f70-4170-8848-2af978990772" type="organization">
<name>ExampleCorp Office of the Counsel</name>
<short-name>ExampleCorp Legal</short-name>
<link href="https://example.com" rel="homepage"/>
<email-address>[email protected]</email-address>
<address type="work">
<addr-line>100 Main Street NW</addr-line>
<city>Washington</city>
<state>DC</state>
<postal-code>20000</postal-code>
<country>US</country>
</address>
</party>
<action uuid="bc90bc6b-8d06-4422-8bbb-63fd525f62f6" date="2022-08-23T00:00:00.000000001-04:00" type="approval">
<responsible-party role-id="legal-officer">
<party-uuid>166befca-8f70-4170-8848-2af978990772</party-uuid>
</responsible-party>
</action>
</metadata>
<import-profile href="#9aa67a14-d18e-461f-8eee-d7b661703a9f"/>
<system-characteristics>
<system-id identifier-type="http://ietf.org/rfc/rfc4122">103e77a8-ab96-4767-9625-19940fefde5f</system-id>
<system-name>Example System</system-name>
<description>
<p>This is an example system to demonstrate a system security plan with rules, tests, and relations to control implementation requirements as evidence.</p>
</description>
<date-authorized>2022-08-23</date-authorized>
<security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
<system-information>
<information-type>
<title>Summary of System Development Information in Example System</title>
<description>
<p>This application contains system development data.</p>
</description>
<confidentiality-impact>
<base>fips-199-low</base>
<selected>fips-199-low</selected>
</confidentiality-impact>
<integrity-impact>
<base>fips-199-low</base>
<selected>fips-199-low</selected>
</integrity-impact>
<availability-impact>
<base>fips-199-low</base>
<selected>fips-199-low</selected>
</availability-impact>
</information-type>
</system-information>
<security-impact-level>
<security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
<security-objective-integrity>fips-199-moderate</security-objective-integrity>
<security-objective-availability>fips-199-moderate</security-objective-availability>
</security-impact-level>
<status state="under-development"/>
<authorization-boundary>
<description>
<p>There is no authorization boundary for the application.</p>
</description>
<remarks>
<p>This is a notional example that will be permenantely in a development state. No authorization boundary will be defined.</p>
</remarks>
</authorization-boundary>
</system-characteristics>
<system-implementation>
<user uuid="3260c490-ad55-4c99-a3d4-09a6b6f6fb17">
<authorized-privilege>
<title>System Developer Privilege</title>
<function-performed>add functionality</function-performed>
<function-performed>modify functionality</function-performed>
<function-performed>maintain deploy system in environment</function-performed>
</authorized-privilege>
</user>
<component uuid="1e3aaf69-258b-4e19-a4cc-0289049ceb7c" type="this-system">
<title>The Example System Core Component</title>
<description>
<p></p>
</description>
<status state="under-development"/>
<remarks>
<p>This is an example system with notional examples, the system and this document will never be complete, regardless of the intention of implicated by <code>action</code> examples.</p></remarks>
</component>
</system-implementation>
<control-implementation>
<description>
<p></p>
</description>
<implemented-requirement uuid="e7d0fd18-0bc6-4583-9eb2-66e77956a96d" control-id=""></implemented-requirement>
</control-implementation>
<back-matter>
<resource uuid="9aa67a14-d18e-461f-8eee-d7b661703a9f">
<rlink href="https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml"/>
</resource>
</back-matter>
</system-security-plan>If applicable, add screenshots to help explain your problem.}
Expected behavior (i.e. solution)
{A clear and concise description of what you expected to happen.}
Other Comments
{Add any other context about the problem here.}